Message	Id	Version	Qualifiers	Level	Task	Opcode	Keywords	RecordId	ProviderName	ProviderId	LogName	ProcessId	ThreadId	MachineName	UserId	TimeCreated	ActivityId	RelatedActivityId	ContainerLog	MatchedQueryIds	Bookmark	LevelDisplayName	OpcodeDisplayName	TaskDisplayName	KeywordsDisplayNames	Properties
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x6C7C24 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60582 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17357	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:04:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x6C7C24 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17356	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:04:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17355	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:04:24 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17354	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:04:24 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x24357 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1268 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	4799	0		0	13826	0	-9214364837600034816	17353	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:04:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d426d04a-5c7a-41d8-ba53-1260eec698e3 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	17352	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:04:20 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d426d04a-5c7a-41d8-ba53-1260eec698e3 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\dd1d5c87532e7603e6c1f0640965d77c_8bdcdd07-8460-467e-8f94-2d70c264125f Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	17351	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:04:20 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-444376108-1334761911-1632316310-1248413850 Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x687EA3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17350	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:03:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-444376108-1334761911-1632316310-1248413850 Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6944E4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17349	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:03:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-444376108-1334761911-1632316310-1248413850 Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6944E4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17348	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:03:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-444376108-1334761911-1632316310-1248413850 Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6944E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17347	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:03:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17346	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:03:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x68FA2B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17345	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:03:02 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x68FA2B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60574 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17344	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:02:47 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x68FA2B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17343	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:02:47 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-444376108-1334761911-1632316310-1248413850 Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68C13D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17342	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:02:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-444376108-1334761911-1632316310-1248413850 Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68C13D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17341	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:02:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-444376108-1334761911-1632316310-1248413850 Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68C13D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17340	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:02:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17339	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:02:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-444376108-1334761911-1632316310-1248413850 Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x688BB5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17338	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:02:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-444376108-1334761911-1632316310-1248413850 Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x688BB5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17337	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:02:01 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-444376108-1334761911-1632316310-1248413850 Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x688BB5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17336	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:02:01 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17335	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:02:01 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-444376108-1334761911-1632316310-1248413850 Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x687CBE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17334	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:02:00 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-444376108-1334761911-1632316310-1248413850 Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x687EA3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17333	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:02:00 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-444376108-1334761911-1632316310-1248413850 Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x687EA3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17332	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:02:00 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17331	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:02:00 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-444376108-1334761911-1632316310-1248413850 Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x687E4A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17330	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:02:00 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-444376108-1334761911-1632316310-1248413850 Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x687E4A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17329	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:02:00 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-444376108-1334761911-1632316310-1248413850 Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x687E4A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17328	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:02:00 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17327	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:02:00 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-444376108-1334761911-1632316310-1248413850 Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x687DE0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17326	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:02:00 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-444376108-1334761911-1632316310-1248413850 Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x687DE0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17325	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:02:00 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-444376108-1334761911-1632316310-1248413850 Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x687DE0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17324	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:02:00 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17323	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:02:00 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-444376108-1334761911-1632316310-1248413850 Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x687CBE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17322	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:02:00 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-444376108-1334761911-1632316310-1248413850 Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x687CBE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17321	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:02:00 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A7CA42C-D9B7-4F8E-962B-4B619A48694A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17320	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:02:00 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x68392E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17319	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:01:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x68392E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60563 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17318	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:00:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x68392E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17317	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 8:00:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1383729580-1330272368-716722562-2669329231 Account Name: 527A09AC-5870-4F4A-8251-B82A4FBB1A9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66D710 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17316	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:59:00 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x678CFB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17315	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:58:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x678CFB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60555 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17314	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:58:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x678CFB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17313	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:58:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1383729580-1330272368-716722562-2669329231 Account Name: 527A09AC-5870-4F4A-8251-B82A4FBB1A9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6747AB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17312	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:57:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1383729580-1330272368-716722562-2669329231 Account Name: 527A09AC-5870-4F4A-8251-B82A4FBB1A9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6747AB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17311	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:57:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1383729580-1330272368-716722562-2669329231 Account Name: 527A09AC-5870-4F4A-8251-B82A4FBB1A9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6747AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17310	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:57:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 527A09AC-5870-4F4A-8251-B82A4FBB1A9F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17309	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:57:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1383729580-1330272368-716722562-2669329231 Account Name: 527A09AC-5870-4F4A-8251-B82A4FBB1A9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x671292 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17308	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:57:42 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1383729580-1330272368-716722562-2669329231 Account Name: 527A09AC-5870-4F4A-8251-B82A4FBB1A9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x671292 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17307	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:57:42 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1383729580-1330272368-716722562-2669329231 Account Name: 527A09AC-5870-4F4A-8251-B82A4FBB1A9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x671292 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17306	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:57:42 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 527A09AC-5870-4F4A-8251-B82A4FBB1A9F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17305	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:57:42 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1383729580-1330272368-716722562-2669329231 Account Name: 527A09AC-5870-4F4A-8251-B82A4FBB1A9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66D5A3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17304	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:57:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1383729580-1330272368-716722562-2669329231 Account Name: 527A09AC-5870-4F4A-8251-B82A4FBB1A9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66D710 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17303	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:57:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1383729580-1330272368-716722562-2669329231 Account Name: 527A09AC-5870-4F4A-8251-B82A4FBB1A9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66D710 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17302	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:57:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 527A09AC-5870-4F4A-8251-B82A4FBB1A9F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17301	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:57:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1383729580-1330272368-716722562-2669329231 Account Name: 527A09AC-5870-4F4A-8251-B82A4FBB1A9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66D6B0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17300	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:57:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1383729580-1330272368-716722562-2669329231 Account Name: 527A09AC-5870-4F4A-8251-B82A4FBB1A9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66D6B0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17299	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:57:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1383729580-1330272368-716722562-2669329231 Account Name: 527A09AC-5870-4F4A-8251-B82A4FBB1A9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66D6B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17298	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:57:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 527A09AC-5870-4F4A-8251-B82A4FBB1A9F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17297	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:57:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1383729580-1330272368-716722562-2669329231 Account Name: 527A09AC-5870-4F4A-8251-B82A4FBB1A9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66D662 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17296	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:57:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1383729580-1330272368-716722562-2669329231 Account Name: 527A09AC-5870-4F4A-8251-B82A4FBB1A9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66D662 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17295	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:57:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1383729580-1330272368-716722562-2669329231 Account Name: 527A09AC-5870-4F4A-8251-B82A4FBB1A9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66D662 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17294	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:57:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 527A09AC-5870-4F4A-8251-B82A4FBB1A9F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17293	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:57:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1383729580-1330272368-716722562-2669329231 Account Name: 527A09AC-5870-4F4A-8251-B82A4FBB1A9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66D5A3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17292	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:57:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1383729580-1330272368-716722562-2669329231 Account Name: 527A09AC-5870-4F4A-8251-B82A4FBB1A9F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66D5A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17291	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:57:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 527A09AC-5870-4F4A-8251-B82A4FBB1A9F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17290	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:57:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x66A95B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17289	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:56:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x66A95B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60546 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17288	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:56:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x66A95B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17287	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:56:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x664A1B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17286	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:54:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x664A1B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60537 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17285	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:54:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x664A1B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17284	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:54:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x65E908 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17283	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:52:52 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x65E908 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60514 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17282	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:52:42 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x65E908 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17281	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:52:42 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x658985 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17280	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:50:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x658985 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60510 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17279	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:50:41 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x658985 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17278	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:50:41 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x652521 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17277	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:48:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x652521 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60498 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17276	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:48:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x652521 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17275	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:48:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-437349186-1246627005-3148044694-3769912067 Account Name: 1A116B42-04BD-4A4E-9659-A3BB034BB4E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x644A7D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17274	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:47:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x644598 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17273	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:47:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-437349186-1246627005-3148044694-3769912067 Account Name: 1A116B42-04BD-4A4E-9659-A3BB034BB4E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6469AA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17272	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-437349186-1246627005-3148044694-3769912067 Account Name: 1A116B42-04BD-4A4E-9659-A3BB034BB4E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6469AA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17271	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-437349186-1246627005-3148044694-3769912067 Account Name: 1A116B42-04BD-4A4E-9659-A3BB034BB4E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6469AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17270	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A116B42-04BD-4A4E-9659-A3BB034BB4E0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17269	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-437349186-1246627005-3148044694-3769912067 Account Name: 1A116B42-04BD-4A4E-9659-A3BB034BB4E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x645760 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17268	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-437349186-1246627005-3148044694-3769912067 Account Name: 1A116B42-04BD-4A4E-9659-A3BB034BB4E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x645760 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17267	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-437349186-1246627005-3148044694-3769912067 Account Name: 1A116B42-04BD-4A4E-9659-A3BB034BB4E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x645760 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17266	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A116B42-04BD-4A4E-9659-A3BB034BB4E0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17265	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-437349186-1246627005-3148044694-3769912067 Account Name: 1A116B42-04BD-4A4E-9659-A3BB034BB4E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x644935 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17264	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-437349186-1246627005-3148044694-3769912067 Account Name: 1A116B42-04BD-4A4E-9659-A3BB034BB4E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x644A7D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17263	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-437349186-1246627005-3148044694-3769912067 Account Name: 1A116B42-04BD-4A4E-9659-A3BB034BB4E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x644A7D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17262	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A116B42-04BD-4A4E-9659-A3BB034BB4E0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17261	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-437349186-1246627005-3148044694-3769912067 Account Name: 1A116B42-04BD-4A4E-9659-A3BB034BB4E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x644A24 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17260	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-437349186-1246627005-3148044694-3769912067 Account Name: 1A116B42-04BD-4A4E-9659-A3BB034BB4E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x644A24 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17259	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-437349186-1246627005-3148044694-3769912067 Account Name: 1A116B42-04BD-4A4E-9659-A3BB034BB4E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x644A24 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17258	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A116B42-04BD-4A4E-9659-A3BB034BB4E0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17257	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-437349186-1246627005-3148044694-3769912067 Account Name: 1A116B42-04BD-4A4E-9659-A3BB034BB4E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6449DB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17256	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-437349186-1246627005-3148044694-3769912067 Account Name: 1A116B42-04BD-4A4E-9659-A3BB034BB4E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6449DB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17255	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-437349186-1246627005-3148044694-3769912067 Account Name: 1A116B42-04BD-4A4E-9659-A3BB034BB4E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6449DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17254	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A116B42-04BD-4A4E-9659-A3BB034BB4E0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17253	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-437349186-1246627005-3148044694-3769912067 Account Name: 1A116B42-04BD-4A4E-9659-A3BB034BB4E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x644935 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17252	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-437349186-1246627005-3148044694-3769912067 Account Name: 1A116B42-04BD-4A4E-9659-A3BB034BB4E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x644935 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17251	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A116B42-04BD-4A4E-9659-A3BB034BB4E0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17250	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x643D90 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17249	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x6445E8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17248	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x6445F6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17247	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x6445F6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-805046-2 Source Network Address: 10.222.0.49 Source Port: 60492 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17246	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x6445F6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17245	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x6445E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-805046-2 Source Network Address: 10.222.0.49 Source Port: 60491 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17244	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x6445E7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17243	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x6445E8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17242	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x6445E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-805046-2 Source Network Address: 10.222.0.49 Source Port: 60490 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17241	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x6445E7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17240	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x644598 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-805046-2 Source Network Address: 10.222.0.49 Source Port: 60489 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17239	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x644598 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17238	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x643D90 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60488 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17237	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x643D90 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17236	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:46:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x63D5EB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17235	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:44:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x63D5EB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60482 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17234	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:44:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x63D5EB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17233	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:44:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x637264 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17232	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:42:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x637264 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60466 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17231	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:42:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x637264 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17230	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:42:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x630E2B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17229	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:40:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x630E2B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60454 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17228	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:40:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x630E2B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17227	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:40:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x623342 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17226	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1621939078-1213830738-2193249674-664004863 Account Name: 60ACD386-9652-4859-8A55-BA82FFE89327 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62184E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17225	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1621939078-1213830738-2193249674-664004863 Account Name: 60ACD386-9652-4859-8A55-BA82FFE89327 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x625B1F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17224	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1621939078-1213830738-2193249674-664004863 Account Name: 60ACD386-9652-4859-8A55-BA82FFE89327 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x625B1F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17223	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1621939078-1213830738-2193249674-664004863 Account Name: 60ACD386-9652-4859-8A55-BA82FFE89327 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x625B1F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17222	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60ACD386-9652-4859-8A55-BA82FFE89327 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17221	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x623342 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60419 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17220	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x623342 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17219	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1621939078-1213830738-2193249674-664004863 Account Name: 60ACD386-9652-4859-8A55-BA82FFE89327 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x622527 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17218	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1621939078-1213830738-2193249674-664004863 Account Name: 60ACD386-9652-4859-8A55-BA82FFE89327 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x622527 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17217	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1621939078-1213830738-2193249674-664004863 Account Name: 60ACD386-9652-4859-8A55-BA82FFE89327 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x622527 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17216	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60ACD386-9652-4859-8A55-BA82FFE89327 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17215	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1621939078-1213830738-2193249674-664004863 Account Name: 60ACD386-9652-4859-8A55-BA82FFE89327 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6216FF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17214	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1621939078-1213830738-2193249674-664004863 Account Name: 60ACD386-9652-4859-8A55-BA82FFE89327 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62184E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17213	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1621939078-1213830738-2193249674-664004863 Account Name: 60ACD386-9652-4859-8A55-BA82FFE89327 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62184E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17212	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60ACD386-9652-4859-8A55-BA82FFE89327 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17211	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1621939078-1213830738-2193249674-664004863 Account Name: 60ACD386-9652-4859-8A55-BA82FFE89327 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6217F5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17210	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1621939078-1213830738-2193249674-664004863 Account Name: 60ACD386-9652-4859-8A55-BA82FFE89327 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6217F5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17209	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1621939078-1213830738-2193249674-664004863 Account Name: 60ACD386-9652-4859-8A55-BA82FFE89327 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6217F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17208	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60ACD386-9652-4859-8A55-BA82FFE89327 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17207	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1621939078-1213830738-2193249674-664004863 Account Name: 60ACD386-9652-4859-8A55-BA82FFE89327 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6217A5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17206	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1621939078-1213830738-2193249674-664004863 Account Name: 60ACD386-9652-4859-8A55-BA82FFE89327 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6217A5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17205	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1621939078-1213830738-2193249674-664004863 Account Name: 60ACD386-9652-4859-8A55-BA82FFE89327 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6217A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17204	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60ACD386-9652-4859-8A55-BA82FFE89327 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17203	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1621939078-1213830738-2193249674-664004863 Account Name: 60ACD386-9652-4859-8A55-BA82FFE89327 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6216FF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17202	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1621939078-1213830738-2193249674-664004863 Account Name: 60ACD386-9652-4859-8A55-BA82FFE89327 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6216FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17201	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60ACD386-9652-4859-8A55-BA82FFE89327 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17200	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:38:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x612C8B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17199	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:52 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2972796744-1103993515-3164694187-3812902002 Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x613515 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17198	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2972796744-1103993515-3164694187-3812902002 Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x617123 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17197	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2972796744-1103993515-3164694187-3812902002 Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x617123 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17196	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2972796744-1103993515-3164694187-3812902002 Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x617123 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17195	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17194	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2972796744-1103993515-3164694187-3812902002 Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x615E6A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17193	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2972796744-1103993515-3164694187-3812902002 Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x615E6A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17192	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2972796744-1103993515-3164694187-3812902002 Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x615E6A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17191	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17190	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2972796744-1103993515-3164694187-3812902002 Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x614203 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17189	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2972796744-1103993515-3164694187-3812902002 Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x614203 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17188	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2972796744-1103993515-3164694187-3812902002 Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x614203 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17187	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17186	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2972796744-1103993515-3164694187-3812902002 Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6133CD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17185	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2972796744-1103993515-3164694187-3812902002 Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x613515 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17184	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2972796744-1103993515-3164694187-3812902002 Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x613515 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17183	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17182	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2972796744-1103993515-3164694187-3812902002 Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6134BC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17181	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2972796744-1103993515-3164694187-3812902002 Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6134BC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17180	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2972796744-1103993515-3164694187-3812902002 Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6134BC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17179	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17178	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2972796744-1103993515-3164694187-3812902002 Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x613473 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17177	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2972796744-1103993515-3164694187-3812902002 Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x613473 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17176	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2972796744-1103993515-3164694187-3812902002 Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x613473 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17175	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17174	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2972796744-1103993515-3164694187-3812902002 Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6133CD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17173	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2972796744-1103993515-3164694187-3812902002 Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6133CD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17172	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B1314748-9AAB-41CD-AB66-A1BC724444E3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17171	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x612CDF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17170	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x612CDC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17169	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x612CDA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17168	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x612CDC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-805046-2 Source Network Address: 10.222.0.49 Source Port: 60401 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17167	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x612CDC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17166	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x612CDF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-805046-2 Source Network Address: 10.222.0.49 Source Port: 60400 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17165	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x612CDF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17164	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x612CDA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-805046-2 Source Network Address: 10.222.0.49 Source Port: 60402 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17163	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x612CDA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17162	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x612C8B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-805046-2 Source Network Address: 10.222.0.49 Source Port: 60399 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17161	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x612C8B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17160	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:37:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x60F8D1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17159	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:36:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x60F8D1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60392 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17158	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:36:34 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x60F8D1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17157	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:36:34 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3826370344-1299614096-2909123225-3393360090 Account Name: E411C728-8990-4D76-99B2-65ADDA9042CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x602B86 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17156	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:35:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3826370344-1299614096-2909123225-3393360090 Account Name: E411C728-8990-4D76-99B2-65ADDA9042CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x604A8A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17155	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:35:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3826370344-1299614096-2909123225-3393360090 Account Name: E411C728-8990-4D76-99B2-65ADDA9042CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x604A8A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17154	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3826370344-1299614096-2909123225-3393360090 Account Name: E411C728-8990-4D76-99B2-65ADDA9042CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x604A8A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17153	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E411C728-8990-4D76-99B2-65ADDA9042CA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17152	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3826370344-1299614096-2909123225-3393360090 Account Name: E411C728-8990-4D76-99B2-65ADDA9042CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x603839 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17151	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:35:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3826370344-1299614096-2909123225-3393360090 Account Name: E411C728-8990-4D76-99B2-65ADDA9042CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x603839 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17150	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3826370344-1299614096-2909123225-3393360090 Account Name: E411C728-8990-4D76-99B2-65ADDA9042CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x603839 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17149	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E411C728-8990-4D76-99B2-65ADDA9042CA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17148	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3826370344-1299614096-2909123225-3393360090 Account Name: E411C728-8990-4D76-99B2-65ADDA9042CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x602A3E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17147	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:35:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3826370344-1299614096-2909123225-3393360090 Account Name: E411C728-8990-4D76-99B2-65ADDA9042CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x602B86 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17146	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3826370344-1299614096-2909123225-3393360090 Account Name: E411C728-8990-4D76-99B2-65ADDA9042CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x602B86 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17145	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E411C728-8990-4D76-99B2-65ADDA9042CA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17144	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3826370344-1299614096-2909123225-3393360090 Account Name: E411C728-8990-4D76-99B2-65ADDA9042CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x602B2D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17143	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:35:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3826370344-1299614096-2909123225-3393360090 Account Name: E411C728-8990-4D76-99B2-65ADDA9042CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x602B2D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17142	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3826370344-1299614096-2909123225-3393360090 Account Name: E411C728-8990-4D76-99B2-65ADDA9042CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x602B2D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17141	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E411C728-8990-4D76-99B2-65ADDA9042CA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17140	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3826370344-1299614096-2909123225-3393360090 Account Name: E411C728-8990-4D76-99B2-65ADDA9042CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x602AE4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17139	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:35:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3826370344-1299614096-2909123225-3393360090 Account Name: E411C728-8990-4D76-99B2-65ADDA9042CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x602AE4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17138	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3826370344-1299614096-2909123225-3393360090 Account Name: E411C728-8990-4D76-99B2-65ADDA9042CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x602AE4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17137	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E411C728-8990-4D76-99B2-65ADDA9042CA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17136	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3826370344-1299614096-2909123225-3393360090 Account Name: E411C728-8990-4D76-99B2-65ADDA9042CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x602A3E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17135	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3826370344-1299614096-2909123225-3393360090 Account Name: E411C728-8990-4D76-99B2-65ADDA9042CA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x602A3E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17134	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E411C728-8990-4D76-99B2-65ADDA9042CA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17133	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3760822868-1329008974-3963780257-2044456550 Account Name: E0299A54-114E-4F37-A17C-42EC66EEDB79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F29CD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17132	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:35:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5FD30A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17131	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:34:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x5FD30A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60383 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17130	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:34:33 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5FD30A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17129	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:34:33 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3760822868-1329008974-3963780257-2044456550 Account Name: E0299A54-114E-4F37-A17C-42EC66EEDB79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F6CAC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17128	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:33:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3760822868-1329008974-3963780257-2044456550 Account Name: E0299A54-114E-4F37-A17C-42EC66EEDB79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F6CAC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17127	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:33:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3760822868-1329008974-3963780257-2044456550 Account Name: E0299A54-114E-4F37-A17C-42EC66EEDB79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F6CAC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17126	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:33:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E0299A54-114E-4F37-A17C-42EC66EEDB79 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17125	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:33:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3760822868-1329008974-3963780257-2044456550 Account Name: E0299A54-114E-4F37-A17C-42EC66EEDB79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F36A7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17124	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:33:06 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3760822868-1329008974-3963780257-2044456550 Account Name: E0299A54-114E-4F37-A17C-42EC66EEDB79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F36A7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17123	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3760822868-1329008974-3963780257-2044456550 Account Name: E0299A54-114E-4F37-A17C-42EC66EEDB79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F36A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17122	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E0299A54-114E-4F37-A17C-42EC66EEDB79 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17121	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3760822868-1329008974-3963780257-2044456550 Account Name: E0299A54-114E-4F37-A17C-42EC66EEDB79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F2873 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17120	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:33:06 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3760822868-1329008974-3963780257-2044456550 Account Name: E0299A54-114E-4F37-A17C-42EC66EEDB79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F29CD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17119	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3760822868-1329008974-3963780257-2044456550 Account Name: E0299A54-114E-4F37-A17C-42EC66EEDB79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F29CD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17118	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E0299A54-114E-4F37-A17C-42EC66EEDB79 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17117	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3760822868-1329008974-3963780257-2044456550 Account Name: E0299A54-114E-4F37-A17C-42EC66EEDB79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F2974 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17116	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:33:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3760822868-1329008974-3963780257-2044456550 Account Name: E0299A54-114E-4F37-A17C-42EC66EEDB79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F2974 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17115	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3760822868-1329008974-3963780257-2044456550 Account Name: E0299A54-114E-4F37-A17C-42EC66EEDB79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F2974 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17114	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E0299A54-114E-4F37-A17C-42EC66EEDB79 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17113	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3760822868-1329008974-3963780257-2044456550 Account Name: E0299A54-114E-4F37-A17C-42EC66EEDB79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F2920 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17112	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:33:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3760822868-1329008974-3963780257-2044456550 Account Name: E0299A54-114E-4F37-A17C-42EC66EEDB79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F2920 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17111	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3760822868-1329008974-3963780257-2044456550 Account Name: E0299A54-114E-4F37-A17C-42EC66EEDB79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F2920 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17110	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E0299A54-114E-4F37-A17C-42EC66EEDB79 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17109	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3760822868-1329008974-3963780257-2044456550 Account Name: E0299A54-114E-4F37-A17C-42EC66EEDB79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F2873 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17108	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3760822868-1329008974-3963780257-2044456550 Account Name: E0299A54-114E-4F37-A17C-42EC66EEDB79 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F2873 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17107	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E0299A54-114E-4F37-A17C-42EC66EEDB79 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17106	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3574901994-1186630726-2287609475-151117485 Account Name: D514ACEA-8C46-46BA-8326-5A88ADDE0109 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E0699 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17105	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:32:52 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5EB946 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17104	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:32:42 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x5EB946 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60370 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17103	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:32:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5EB946 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17102	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:32:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3574901994-1186630726-2287609475-151117485 Account Name: D514ACEA-8C46-46BA-8326-5A88ADDE0109 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E49E3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17101	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:31:00 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3574901994-1186630726-2287609475-151117485 Account Name: D514ACEA-8C46-46BA-8326-5A88ADDE0109 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E49E3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17100	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:31:00 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3574901994-1186630726-2287609475-151117485 Account Name: D514ACEA-8C46-46BA-8326-5A88ADDE0109 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E49E3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17099	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:31:00 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D514ACEA-8C46-46BA-8326-5A88ADDE0109 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17098	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:31:00 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3574901994-1186630726-2287609475-151117485 Account Name: D514ACEA-8C46-46BA-8326-5A88ADDE0109 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E13F1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17097	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:30:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3574901994-1186630726-2287609475-151117485 Account Name: D514ACEA-8C46-46BA-8326-5A88ADDE0109 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E13F1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17096	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:30:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3574901994-1186630726-2287609475-151117485 Account Name: D514ACEA-8C46-46BA-8326-5A88ADDE0109 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E13F1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17095	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:30:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D514ACEA-8C46-46BA-8326-5A88ADDE0109 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17094	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:30:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3574901994-1186630726-2287609475-151117485 Account Name: D514ACEA-8C46-46BA-8326-5A88ADDE0109 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E0546 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17093	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:30:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3574901994-1186630726-2287609475-151117485 Account Name: D514ACEA-8C46-46BA-8326-5A88ADDE0109 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E0699 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17092	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:30:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3574901994-1186630726-2287609475-151117485 Account Name: D514ACEA-8C46-46BA-8326-5A88ADDE0109 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E0699 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17091	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:30:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D514ACEA-8C46-46BA-8326-5A88ADDE0109 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17090	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:30:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3574901994-1186630726-2287609475-151117485 Account Name: D514ACEA-8C46-46BA-8326-5A88ADDE0109 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E0640 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17089	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:30:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3574901994-1186630726-2287609475-151117485 Account Name: D514ACEA-8C46-46BA-8326-5A88ADDE0109 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E0640 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17088	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:30:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3574901994-1186630726-2287609475-151117485 Account Name: D514ACEA-8C46-46BA-8326-5A88ADDE0109 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E0640 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17087	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:30:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D514ACEA-8C46-46BA-8326-5A88ADDE0109 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17086	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:30:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3574901994-1186630726-2287609475-151117485 Account Name: D514ACEA-8C46-46BA-8326-5A88ADDE0109 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E05F2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17085	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:30:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3574901994-1186630726-2287609475-151117485 Account Name: D514ACEA-8C46-46BA-8326-5A88ADDE0109 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E05F2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17084	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:30:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3574901994-1186630726-2287609475-151117485 Account Name: D514ACEA-8C46-46BA-8326-5A88ADDE0109 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E05F2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17083	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:30:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D514ACEA-8C46-46BA-8326-5A88ADDE0109 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17082	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:30:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3574901994-1186630726-2287609475-151117485 Account Name: D514ACEA-8C46-46BA-8326-5A88ADDE0109 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E0546 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17081	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:30:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3574901994-1186630726-2287609475-151117485 Account Name: D514ACEA-8C46-46BA-8326-5A88ADDE0109 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E0546 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17080	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:30:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D514ACEA-8C46-46BA-8326-5A88ADDE0109 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17079	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:30:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5DA77B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17078	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:30:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-254480818-1239585529-707210127-1406724734 Account Name: 0F2B11B2-92F9-49E2-8F2B-272A7EEAD853 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CEF24 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17077	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:30:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x5DA77B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60357 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17076	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:30:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5DA77B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17075	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:30:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-254480818-1239585529-707210127-1406724734 Account Name: 0F2B11B2-92F9-49E2-8F2B-272A7EEAD853 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D3039 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17074	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-254480818-1239585529-707210127-1406724734 Account Name: 0F2B11B2-92F9-49E2-8F2B-272A7EEAD853 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D3039 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17073	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-254480818-1239585529-707210127-1406724734 Account Name: 0F2B11B2-92F9-49E2-8F2B-272A7EEAD853 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D3039 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17072	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0F2B11B2-92F9-49E2-8F2B-272A7EEAD853 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17071	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5CDC61 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17070	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-254480818-1239585529-707210127-1406724734 Account Name: 0F2B11B2-92F9-49E2-8F2B-272A7EEAD853 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CFBF6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17069	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:41 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-254480818-1239585529-707210127-1406724734 Account Name: 0F2B11B2-92F9-49E2-8F2B-272A7EEAD853 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CFBF6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17068	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:41 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-254480818-1239585529-707210127-1406724734 Account Name: 0F2B11B2-92F9-49E2-8F2B-272A7EEAD853 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CFBF6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17067	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:41 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0F2B11B2-92F9-49E2-8F2B-272A7EEAD853 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17066	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:41 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-254480818-1239585529-707210127-1406724734 Account Name: 0F2B11B2-92F9-49E2-8F2B-272A7EEAD853 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CEDD6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17065	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-254480818-1239585529-707210127-1406724734 Account Name: 0F2B11B2-92F9-49E2-8F2B-272A7EEAD853 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CEF24 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17064	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-254480818-1239585529-707210127-1406724734 Account Name: 0F2B11B2-92F9-49E2-8F2B-272A7EEAD853 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CEF24 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17063	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0F2B11B2-92F9-49E2-8F2B-272A7EEAD853 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17062	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-254480818-1239585529-707210127-1406724734 Account Name: 0F2B11B2-92F9-49E2-8F2B-272A7EEAD853 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CEECB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17061	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-254480818-1239585529-707210127-1406724734 Account Name: 0F2B11B2-92F9-49E2-8F2B-272A7EEAD853 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CEECB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17060	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-254480818-1239585529-707210127-1406724734 Account Name: 0F2B11B2-92F9-49E2-8F2B-272A7EEAD853 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CEECB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17059	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0F2B11B2-92F9-49E2-8F2B-272A7EEAD853 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17058	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-254480818-1239585529-707210127-1406724734 Account Name: 0F2B11B2-92F9-49E2-8F2B-272A7EEAD853 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CEE7B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17057	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-254480818-1239585529-707210127-1406724734 Account Name: 0F2B11B2-92F9-49E2-8F2B-272A7EEAD853 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CEE7B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17056	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-254480818-1239585529-707210127-1406724734 Account Name: 0F2B11B2-92F9-49E2-8F2B-272A7EEAD853 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CEE7B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17055	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0F2B11B2-92F9-49E2-8F2B-272A7EEAD853 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17054	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-254480818-1239585529-707210127-1406724734 Account Name: 0F2B11B2-92F9-49E2-8F2B-272A7EEAD853 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CEDD6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17053	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-254480818-1239585529-707210127-1406724734 Account Name: 0F2B11B2-92F9-49E2-8F2B-272A7EEAD853 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CEDD6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17052	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0F2B11B2-92F9-49E2-8F2B-272A7EEAD853 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17051	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5C58DB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17050	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:34 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x5CDC61 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60349 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17049	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5CDC61 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17048	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1168223042-1108357910-2581549205-2436812160 Account Name: 45A1AB42-3316-4210-9550-DF9980CD3E91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C5E71 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17047	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1168223042-1108357910-2581549205-2436812160 Account Name: 45A1AB42-3316-4210-9550-DF9980CD3E91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C7E19 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17046	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1168223042-1108357910-2581549205-2436812160 Account Name: 45A1AB42-3316-4210-9550-DF9980CD3E91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C7E19 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17045	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1168223042-1108357910-2581549205-2436812160 Account Name: 45A1AB42-3316-4210-9550-DF9980CD3E91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C7E19 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17044	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 45A1AB42-3316-4210-9550-DF9980CD3E91 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17043	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1168223042-1108357910-2581549205-2436812160 Account Name: 45A1AB42-3316-4210-9550-DF9980CD3E91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C6BC9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17042	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:21 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1168223042-1108357910-2581549205-2436812160 Account Name: 45A1AB42-3316-4210-9550-DF9980CD3E91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C6BC9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17041	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1168223042-1108357910-2581549205-2436812160 Account Name: 45A1AB42-3316-4210-9550-DF9980CD3E91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C6BC9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17040	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 45A1AB42-3316-4210-9550-DF9980CD3E91 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17039	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1168223042-1108357910-2581549205-2436812160 Account Name: 45A1AB42-3316-4210-9550-DF9980CD3E91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C5D25 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17038	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:21 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1168223042-1108357910-2581549205-2436812160 Account Name: 45A1AB42-3316-4210-9550-DF9980CD3E91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C5E71 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17037	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1168223042-1108357910-2581549205-2436812160 Account Name: 45A1AB42-3316-4210-9550-DF9980CD3E91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C5E71 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17036	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 45A1AB42-3316-4210-9550-DF9980CD3E91 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17035	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1168223042-1108357910-2581549205-2436812160 Account Name: 45A1AB42-3316-4210-9550-DF9980CD3E91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C5E18 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17034	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:21 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1168223042-1108357910-2581549205-2436812160 Account Name: 45A1AB42-3316-4210-9550-DF9980CD3E91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C5E18 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17033	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1168223042-1108357910-2581549205-2436812160 Account Name: 45A1AB42-3316-4210-9550-DF9980CD3E91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C5E18 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17032	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 45A1AB42-3316-4210-9550-DF9980CD3E91 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17031	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1168223042-1108357910-2581549205-2436812160 Account Name: 45A1AB42-3316-4210-9550-DF9980CD3E91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C5DCF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17030	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:21 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1168223042-1108357910-2581549205-2436812160 Account Name: 45A1AB42-3316-4210-9550-DF9980CD3E91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C5DCF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17029	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1168223042-1108357910-2581549205-2436812160 Account Name: 45A1AB42-3316-4210-9550-DF9980CD3E91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C5DCF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17028	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 45A1AB42-3316-4210-9550-DF9980CD3E91 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17027	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1168223042-1108357910-2581549205-2436812160 Account Name: 45A1AB42-3316-4210-9550-DF9980CD3E91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C5D25 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17026	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1168223042-1108357910-2581549205-2436812160 Account Name: 45A1AB42-3316-4210-9550-DF9980CD3E91 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C5D25 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17025	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 45A1AB42-3316-4210-9550-DF9980CD3E91 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17024	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5C5932 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17023	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5C591F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17022	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5C5920 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17021	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5C5932 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-805046-2 Source Network Address: 10.222.0.49 Source Port: 60346 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17020	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5C5932 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17019	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5C5920 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-805046-2 Source Network Address: 10.222.0.49 Source Port: 60345 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17018	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5C5920 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17017	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5C591F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-805046-2 Source Network Address: 10.222.0.49 Source Port: 60344 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17016	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5C591F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17015	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5C58DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-805046-2 Source Network Address: 10.222.0.49 Source Port: 60343 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17014	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5C58DB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17013	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	920	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:28:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1409726286-1151957045-298789010-2995014896 Account Name: 5406B74E-7835-44A9-9228-CF11F04C84B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B622E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17012	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:27:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1409726286-1151957045-298789010-2995014896 Account Name: 5406B74E-7835-44A9-9228-CF11F04C84B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BA1B2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17011	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:27:03 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1409726286-1151957045-298789010-2995014896 Account Name: 5406B74E-7835-44A9-9228-CF11F04C84B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BA1B2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17010	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:27:03 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1409726286-1151957045-298789010-2995014896 Account Name: 5406B74E-7835-44A9-9228-CF11F04C84B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BA1B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17009	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:27:03 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5406B74E-7835-44A9-9228-CF11F04C84B2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17008	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:27:03 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5AD1B3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17007	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1409726286-1151957045-298789010-2995014896 Account Name: 5406B74E-7835-44A9-9228-CF11F04C84B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B6F02 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17006	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:58 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1409726286-1151957045-298789010-2995014896 Account Name: 5406B74E-7835-44A9-9228-CF11F04C84B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B6F02 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17005	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1409726286-1151957045-298789010-2995014896 Account Name: 5406B74E-7835-44A9-9228-CF11F04C84B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B6F02 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17004	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5406B74E-7835-44A9-9228-CF11F04C84B2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17003	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1409726286-1151957045-298789010-2995014896 Account Name: 5406B74E-7835-44A9-9228-CF11F04C84B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B60DD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17002	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:58 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1409726286-1151957045-298789010-2995014896 Account Name: 5406B74E-7835-44A9-9228-CF11F04C84B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B622E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17001	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1409726286-1151957045-298789010-2995014896 Account Name: 5406B74E-7835-44A9-9228-CF11F04C84B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B622E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17000	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5406B74E-7835-44A9-9228-CF11F04C84B2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16999	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1409726286-1151957045-298789010-2995014896 Account Name: 5406B74E-7835-44A9-9228-CF11F04C84B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B61D5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16998	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:58 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1409726286-1151957045-298789010-2995014896 Account Name: 5406B74E-7835-44A9-9228-CF11F04C84B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B61D5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16997	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1409726286-1151957045-298789010-2995014896 Account Name: 5406B74E-7835-44A9-9228-CF11F04C84B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B61D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16996	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5406B74E-7835-44A9-9228-CF11F04C84B2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16995	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1409726286-1151957045-298789010-2995014896 Account Name: 5406B74E-7835-44A9-9228-CF11F04C84B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B6185 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16994	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:58 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1409726286-1151957045-298789010-2995014896 Account Name: 5406B74E-7835-44A9-9228-CF11F04C84B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B6185 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16993	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1409726286-1151957045-298789010-2995014896 Account Name: 5406B74E-7835-44A9-9228-CF11F04C84B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B6185 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16992	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5406B74E-7835-44A9-9228-CF11F04C84B2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16991	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1409726286-1151957045-298789010-2995014896 Account Name: 5406B74E-7835-44A9-9228-CF11F04C84B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B60DD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16990	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1409726286-1151957045-298789010-2995014896 Account Name: 5406B74E-7835-44A9-9228-CF11F04C84B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B60DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16989	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5406B74E-7835-44A9-9228-CF11F04C84B2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16988	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1916249325-1138578054-699505299-3034393578 Account Name: 7237A4ED-5286-43DD-939A-B129EA2BDDB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AD616 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16987	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1916249325-1138578054-699505299-3034393578 Account Name: 7237A4ED-5286-43DD-939A-B129EA2BDDB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AF5F3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16986	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:47 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1916249325-1138578054-699505299-3034393578 Account Name: 7237A4ED-5286-43DD-939A-B129EA2BDDB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AF5F3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16985	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:47 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1916249325-1138578054-699505299-3034393578 Account Name: 7237A4ED-5286-43DD-939A-B129EA2BDDB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AF5F3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16984	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:47 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7237A4ED-5286-43DD-939A-B129EA2BDDB4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16983	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:47 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1916249325-1138578054-699505299-3034393578 Account Name: 7237A4ED-5286-43DD-939A-B129EA2BDDB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AE376 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16982	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1916249325-1138578054-699505299-3034393578 Account Name: 7237A4ED-5286-43DD-939A-B129EA2BDDB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AE376 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16981	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1916249325-1138578054-699505299-3034393578 Account Name: 7237A4ED-5286-43DD-939A-B129EA2BDDB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AE376 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16980	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7237A4ED-5286-43DD-939A-B129EA2BDDB4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16979	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1916249325-1138578054-699505299-3034393578 Account Name: 7237A4ED-5286-43DD-939A-B129EA2BDDB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AD4CE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16978	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1916249325-1138578054-699505299-3034393578 Account Name: 7237A4ED-5286-43DD-939A-B129EA2BDDB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AD616 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16977	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1916249325-1138578054-699505299-3034393578 Account Name: 7237A4ED-5286-43DD-939A-B129EA2BDDB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AD616 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16976	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7237A4ED-5286-43DD-939A-B129EA2BDDB4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16975	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1916249325-1138578054-699505299-3034393578 Account Name: 7237A4ED-5286-43DD-939A-B129EA2BDDB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AD5BD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16974	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1916249325-1138578054-699505299-3034393578 Account Name: 7237A4ED-5286-43DD-939A-B129EA2BDDB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AD5BD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16973	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1916249325-1138578054-699505299-3034393578 Account Name: 7237A4ED-5286-43DD-939A-B129EA2BDDB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AD5BD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16972	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7237A4ED-5286-43DD-939A-B129EA2BDDB4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16971	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1916249325-1138578054-699505299-3034393578 Account Name: 7237A4ED-5286-43DD-939A-B129EA2BDDB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AD574 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16970	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1916249325-1138578054-699505299-3034393578 Account Name: 7237A4ED-5286-43DD-939A-B129EA2BDDB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AD574 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16969	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1916249325-1138578054-699505299-3034393578 Account Name: 7237A4ED-5286-43DD-939A-B129EA2BDDB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AD574 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16968	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7237A4ED-5286-43DD-939A-B129EA2BDDB4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16967	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1916249325-1138578054-699505299-3034393578 Account Name: 7237A4ED-5286-43DD-939A-B129EA2BDDB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AD4CE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16966	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1916249325-1138578054-699505299-3034393578 Account Name: 7237A4ED-5286-43DD-939A-B129EA2BDDB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AD4CE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16965	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7237A4ED-5286-43DD-939A-B129EA2BDDB4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16964	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5AD208 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16963	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5AD215 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16962	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5AD206 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16961	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5AD208 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-805046-2 Source Network Address: 10.222.0.49 Source Port: 60326 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16960	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5AD208 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16959	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5AD215 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-805046-2 Source Network Address: 10.222.0.49 Source Port: 60327 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16958	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5AD215 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16957	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5AD206 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-805046-2 Source Network Address: 10.222.0.49 Source Port: 60325 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16956	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5AD206 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16955	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5AD1B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-805046-2 Source Network Address: 10.222.0.49 Source Port: 60324 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16954	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5AD1B3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16953	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5AC9EF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16952	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x5AC9EF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60323 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16951	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:29 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5AC9EF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16950	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:26:29 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-718325278-1168697452-2791255731-2865418964 Account Name: 2AD0C61E-E86C-45A8-B32E-5FA6D4D2CAAA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x597D29 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16949	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:25:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5A17AA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16948	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:24:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x5A17AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60313 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16947	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:24:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5A17AA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16946	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:24:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-718325278-1168697452-2791255731-2865418964 Account Name: 2AD0C61E-E86C-45A8-B32E-5FA6D4D2CAAA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59D272 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16945	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:23:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-718325278-1168697452-2791255731-2865418964 Account Name: 2AD0C61E-E86C-45A8-B32E-5FA6D4D2CAAA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59D272 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16944	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:23:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-718325278-1168697452-2791255731-2865418964 Account Name: 2AD0C61E-E86C-45A8-B32E-5FA6D4D2CAAA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59D272 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16943	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:23:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2AD0C61E-E86C-45A8-B32E-5FA6D4D2CAAA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16942	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:23:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-718325278-1168697452-2791255731-2865418964 Account Name: 2AD0C61E-E86C-45A8-B32E-5FA6D4D2CAAA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x599D6A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16941	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:23:24 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-718325278-1168697452-2791255731-2865418964 Account Name: 2AD0C61E-E86C-45A8-B32E-5FA6D4D2CAAA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x599D6A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16940	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:23:24 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-718325278-1168697452-2791255731-2865418964 Account Name: 2AD0C61E-E86C-45A8-B32E-5FA6D4D2CAAA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x599D6A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16939	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:23:24 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2AD0C61E-E86C-45A8-B32E-5FA6D4D2CAAA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16938	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:23:24 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-718325278-1168697452-2791255731-2865418964 Account Name: 2AD0C61E-E86C-45A8-B32E-5FA6D4D2CAAA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x597BCE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16937	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:23:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-718325278-1168697452-2791255731-2865418964 Account Name: 2AD0C61E-E86C-45A8-B32E-5FA6D4D2CAAA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x597D29 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16936	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:23:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-718325278-1168697452-2791255731-2865418964 Account Name: 2AD0C61E-E86C-45A8-B32E-5FA6D4D2CAAA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x597D29 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16935	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:23:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2AD0C61E-E86C-45A8-B32E-5FA6D4D2CAAA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16934	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:23:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-718325278-1168697452-2791255731-2865418964 Account Name: 2AD0C61E-E86C-45A8-B32E-5FA6D4D2CAAA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x597CD0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16933	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:23:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-718325278-1168697452-2791255731-2865418964 Account Name: 2AD0C61E-E86C-45A8-B32E-5FA6D4D2CAAA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x597CD0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16932	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:23:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-718325278-1168697452-2791255731-2865418964 Account Name: 2AD0C61E-E86C-45A8-B32E-5FA6D4D2CAAA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x597CD0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16931	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:23:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2AD0C61E-E86C-45A8-B32E-5FA6D4D2CAAA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16930	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:23:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-718325278-1168697452-2791255731-2865418964 Account Name: 2AD0C61E-E86C-45A8-B32E-5FA6D4D2CAAA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x597C86 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16929	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:23:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-718325278-1168697452-2791255731-2865418964 Account Name: 2AD0C61E-E86C-45A8-B32E-5FA6D4D2CAAA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x597C86 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16928	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:23:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-718325278-1168697452-2791255731-2865418964 Account Name: 2AD0C61E-E86C-45A8-B32E-5FA6D4D2CAAA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x597C86 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16927	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:23:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2AD0C61E-E86C-45A8-B32E-5FA6D4D2CAAA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16926	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:23:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-718325278-1168697452-2791255731-2865418964 Account Name: 2AD0C61E-E86C-45A8-B32E-5FA6D4D2CAAA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x597BCE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16925	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:23:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-718325278-1168697452-2791255731-2865418964 Account Name: 2AD0C61E-E86C-45A8-B32E-5FA6D4D2CAAA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x597BCE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16924	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:23:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2AD0C61E-E86C-45A8-B32E-5FA6D4D2CAAA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16923	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:23:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x59462D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16922	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:22:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x59462D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60306 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16921	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:22:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x59462D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16920	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:22:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x58E77D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16919	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:20:41 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x58E77D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60294 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16918	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:20:25 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x58E77D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16917	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:20:25 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x588650 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16916	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:18:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x588650 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60278 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16915	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:18:24 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x588650 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16914	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:18:24 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-695049431-1178049969-1430079918-1477332366 Account Name: 296D9CD7-9DB1-4637-AE49-3D558E4D0E58 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57B461 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16913	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:18:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-695049431-1178049969-1430079918-1477332366 Account Name: 296D9CD7-9DB1-4637-AE49-3D558E4D0E58 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58237A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16912	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:18:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-695049431-1178049969-1430079918-1477332366 Account Name: 296D9CD7-9DB1-4637-AE49-3D558E4D0E58 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58237A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16911	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:18:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-695049431-1178049969-1430079918-1477332366 Account Name: 296D9CD7-9DB1-4637-AE49-3D558E4D0E58 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58237A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16910	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:18:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 296D9CD7-9DB1-4637-AE49-3D558E4D0E58 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16909	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:18:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-695049431-1178049969-1430079918-1477332366 Account Name: 296D9CD7-9DB1-4637-AE49-3D558E4D0E58 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57ECA1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16908	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:18:02 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-695049431-1178049969-1430079918-1477332366 Account Name: 296D9CD7-9DB1-4637-AE49-3D558E4D0E58 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57ECA1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16907	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:18:02 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-695049431-1178049969-1430079918-1477332366 Account Name: 296D9CD7-9DB1-4637-AE49-3D558E4D0E58 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57ECA1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16906	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:18:02 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 296D9CD7-9DB1-4637-AE49-3D558E4D0E58 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16905	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:18:02 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-695049431-1178049969-1430079918-1477332366 Account Name: 296D9CD7-9DB1-4637-AE49-3D558E4D0E58 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57B290 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16904	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:17:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-695049431-1178049969-1430079918-1477332366 Account Name: 296D9CD7-9DB1-4637-AE49-3D558E4D0E58 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57B461 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16903	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:17:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-695049431-1178049969-1430079918-1477332366 Account Name: 296D9CD7-9DB1-4637-AE49-3D558E4D0E58 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57B461 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16902	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:17:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 296D9CD7-9DB1-4637-AE49-3D558E4D0E58 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16901	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:17:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-695049431-1178049969-1430079918-1477332366 Account Name: 296D9CD7-9DB1-4637-AE49-3D558E4D0E58 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57B408 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16900	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:17:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-695049431-1178049969-1430079918-1477332366 Account Name: 296D9CD7-9DB1-4637-AE49-3D558E4D0E58 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57B408 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16899	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:17:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-695049431-1178049969-1430079918-1477332366 Account Name: 296D9CD7-9DB1-4637-AE49-3D558E4D0E58 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57B408 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16898	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:17:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 296D9CD7-9DB1-4637-AE49-3D558E4D0E58 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16897	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:17:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-695049431-1178049969-1430079918-1477332366 Account Name: 296D9CD7-9DB1-4637-AE49-3D558E4D0E58 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57B3BE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16896	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:17:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-695049431-1178049969-1430079918-1477332366 Account Name: 296D9CD7-9DB1-4637-AE49-3D558E4D0E58 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57B3BE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16895	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:17:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-695049431-1178049969-1430079918-1477332366 Account Name: 296D9CD7-9DB1-4637-AE49-3D558E4D0E58 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57B3BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16894	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:17:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 296D9CD7-9DB1-4637-AE49-3D558E4D0E58 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16893	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:17:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-695049431-1178049969-1430079918-1477332366 Account Name: 296D9CD7-9DB1-4637-AE49-3D558E4D0E58 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57B290 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16892	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:17:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-695049431-1178049969-1430079918-1477332366 Account Name: 296D9CD7-9DB1-4637-AE49-3D558E4D0E58 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57B290 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16891	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:17:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 296D9CD7-9DB1-4637-AE49-3D558E4D0E58 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16890	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:17:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x57678F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16889	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:16:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x57678F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60248 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16888	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:16:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x57678F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16887	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:16:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5703C5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16886	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:14:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5617D3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16885	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:14:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5617BE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16884	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:14:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5617A7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16883	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:14:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x561796 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16882	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:14:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5618A7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16881	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:14:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x561889 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16880	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:14:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x5703C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60230 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16879	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:14:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5703C5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16878	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:14:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x56170D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16877	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x562959 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16876	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x561780 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16875	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x5621A4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16874	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:20 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2126872820-1149216472-3752134581-3478556951 Account Name: 7EC580F4-A6D8-447F-B507-A5DF179156CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56AFED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16873	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:20 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2126872820-1149216472-3752134581-3478556951 Account Name: 7EC580F4-A6D8-447F-B507-A5DF179156CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x561956 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16872	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x56192E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16871	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2126872820-1149216472-3752134581-3478556951 Account Name: 7EC580F4-A6D8-447F-B507-A5DF179156CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56AFED Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16870	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2126872820-1149216472-3752134581-3478556951 Account Name: 7EC580F4-A6D8-447F-B507-A5DF179156CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56AFED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16869	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7EC580F4-A6D8-447F-B507-A5DF179156CF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16868	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5670AE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16867	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x5670AE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EF194D98-FBB1-C1A4-2332-A5AD1502B55D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16866	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5670AE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16865	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2126872820-1149216472-3752134581-3478556951 Account Name: 7EC580F4-A6D8-447F-B507-A5DF179156CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x566DEA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16864	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2126872820-1149216472-3752134581-3478556951 Account Name: 7EC580F4-A6D8-447F-B507-A5DF179156CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x566DEA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16863	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2126872820-1149216472-3752134581-3478556951 Account Name: 7EC580F4-A6D8-447F-B507-A5DF179156CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x566DEA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16862	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7EC580F4-A6D8-447F-B507-A5DF179156CF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16861	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2126872820-1149216472-3752134581-3478556951 Account Name: 7EC580F4-A6D8-447F-B507-A5DF179156CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x566B93 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16860	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2126872820-1149216472-3752134581-3478556951 Account Name: 7EC580F4-A6D8-447F-B507-A5DF179156CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x566B93 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16859	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2126872820-1149216472-3752134581-3478556951 Account Name: 7EC580F4-A6D8-447F-B507-A5DF179156CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x566B93 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16858	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7EC580F4-A6D8-447F-B507-A5DF179156CF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16857	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16856	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16855	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x562A7C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16854	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x562A4C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16853	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x562A5E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16852	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x562A7C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D8404F8D-B611-FDD3-BE5B-F5D01B477DA0} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60208 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16851	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x562A5E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D8404F8D-B611-FDD3-BE5B-F5D01B477DA0} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60207 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16850	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x562A4C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D8404F8D-B611-FDD3-BE5B-F5D01B477DA0} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60206 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16849	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x562959 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D8404F8D-B611-FDD3-BE5B-F5D01B477DA0} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60205 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16848	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x5621A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3A9920B1-538E-D2E2-E735-44389FAE6D28} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60205 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16847	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x561A11 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16846	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x561A11 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8866BF95-E417-3FC7-BA7B-CEEB9E97D4C7} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16845	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2126872820-1149216472-3752134581-3478556951 Account Name: 7EC580F4-A6D8-447F-B507-A5DF179156CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5619A9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16844	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2126872820-1149216472-3752134581-3478556951 Account Name: 7EC580F4-A6D8-447F-B507-A5DF179156CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5619A9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16843	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2126872820-1149216472-3752134581-3478556951 Account Name: 7EC580F4-A6D8-447F-B507-A5DF179156CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5619A9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16842	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7EC580F4-A6D8-447F-B507-A5DF179156CF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16841	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2126872820-1149216472-3752134581-3478556951 Account Name: 7EC580F4-A6D8-447F-B507-A5DF179156CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x561956 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16840	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2126872820-1149216472-3752134581-3478556951 Account Name: 7EC580F4-A6D8-447F-B507-A5DF179156CF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x561956 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16839	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7EC580F4-A6D8-447F-B507-A5DF179156CF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16838	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x56192E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EF194D98-FBB1-C1A4-2332-A5AD1502B55D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16837	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x56192E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16836	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x5618A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60212 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16835	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5618A7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16834	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x561889 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60212 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16833	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x561889 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16832	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x5617D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60211 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16831	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5617D3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16830	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x5617BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60211 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16829	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5617BE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16828	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x5617A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60211 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16827	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x5617A7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16826	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x561796 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60211 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16825	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x561796 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16824	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x561780 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60210 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16823	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x561780 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16822	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x56174D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16821	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x56175D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16820	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x561737 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16819	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x56175D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60208 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16818	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x56175D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16817	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x56174D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60207 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16816	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x56174D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16815	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x561737 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60206 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16814	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x561737 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16813	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x56170D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60205 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16812	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x56170D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16811	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:13:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x55EBBE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16810	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:12:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x55EBBE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60202 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16809	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:12:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x55EBBE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16808	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:12:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2560688987-1105659784-1311106978-3676473049 Account Name: 98A1035B-0788-41E7-A2E7-254ED98622DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5540A8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16807	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:12:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2560688987-1105659784-1311106978-3676473049 Account Name: 98A1035B-0788-41E7-A2E7-254ED98622DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x555FD9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16806	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:11:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2560688987-1105659784-1311106978-3676473049 Account Name: 98A1035B-0788-41E7-A2E7-254ED98622DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x555FD9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16805	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:11:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2560688987-1105659784-1311106978-3676473049 Account Name: 98A1035B-0788-41E7-A2E7-254ED98622DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x555FD9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16804	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:11:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 98A1035B-0788-41E7-A2E7-254ED98622DB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16803	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:11:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2560688987-1105659784-1311106978-3676473049 Account Name: 98A1035B-0788-41E7-A2E7-254ED98622DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x554DEC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16802	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:11:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2560688987-1105659784-1311106978-3676473049 Account Name: 98A1035B-0788-41E7-A2E7-254ED98622DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x554DEC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16801	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:11:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2560688987-1105659784-1311106978-3676473049 Account Name: 98A1035B-0788-41E7-A2E7-254ED98622DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x554DEC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16800	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:11:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 98A1035B-0788-41E7-A2E7-254ED98622DB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16799	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:11:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2560688987-1105659784-1311106978-3676473049 Account Name: 98A1035B-0788-41E7-A2E7-254ED98622DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x553F60 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16798	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:11:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2560688987-1105659784-1311106978-3676473049 Account Name: 98A1035B-0788-41E7-A2E7-254ED98622DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5540A8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16797	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:11:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2560688987-1105659784-1311106978-3676473049 Account Name: 98A1035B-0788-41E7-A2E7-254ED98622DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5540A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16796	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:11:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 98A1035B-0788-41E7-A2E7-254ED98622DB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16795	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:11:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2560688987-1105659784-1311106978-3676473049 Account Name: 98A1035B-0788-41E7-A2E7-254ED98622DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55404F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16794	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:11:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2560688987-1105659784-1311106978-3676473049 Account Name: 98A1035B-0788-41E7-A2E7-254ED98622DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55404F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16793	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:11:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2560688987-1105659784-1311106978-3676473049 Account Name: 98A1035B-0788-41E7-A2E7-254ED98622DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55404F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16792	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:11:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 98A1035B-0788-41E7-A2E7-254ED98622DB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16791	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:11:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2560688987-1105659784-1311106978-3676473049 Account Name: 98A1035B-0788-41E7-A2E7-254ED98622DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x554006 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16790	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:11:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2560688987-1105659784-1311106978-3676473049 Account Name: 98A1035B-0788-41E7-A2E7-254ED98622DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x554006 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16789	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:11:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2560688987-1105659784-1311106978-3676473049 Account Name: 98A1035B-0788-41E7-A2E7-254ED98622DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x554006 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16788	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:11:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 98A1035B-0788-41E7-A2E7-254ED98622DB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16787	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:11:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2560688987-1105659784-1311106978-3676473049 Account Name: 98A1035B-0788-41E7-A2E7-254ED98622DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x553F60 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16786	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:11:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2560688987-1105659784-1311106978-3676473049 Account Name: 98A1035B-0788-41E7-A2E7-254ED98622DB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x553F60 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16785	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:11:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 98A1035B-0788-41E7-A2E7-254ED98622DB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16784	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:11:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-926434600-1235263918-1799432071-1765230772 Account Name: 37384528-A1AE-49A0-8727-416BB4483769 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5478E6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16783	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:11:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-926434600-1235263918-1799432071-1765230772 Account Name: 37384528-A1AE-49A0-8727-416BB4483769 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54B79E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16782	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-926434600-1235263918-1799432071-1765230772 Account Name: 37384528-A1AE-49A0-8727-416BB4483769 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54B79E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16781	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-926434600-1235263918-1799432071-1765230772 Account Name: 37384528-A1AE-49A0-8727-416BB4483769 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54B79E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16780	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 37384528-A1AE-49A0-8727-416BB4483769 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16779	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x546515 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16778	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-926434600-1235263918-1799432071-1765230772 Account Name: 37384528-A1AE-49A0-8727-416BB4483769 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54864D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16777	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-926434600-1235263918-1799432071-1765230772 Account Name: 37384528-A1AE-49A0-8727-416BB4483769 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54864D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16776	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:33 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-926434600-1235263918-1799432071-1765230772 Account Name: 37384528-A1AE-49A0-8727-416BB4483769 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54864D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16775	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:33 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 37384528-A1AE-49A0-8727-416BB4483769 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16774	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:33 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-926434600-1235263918-1799432071-1765230772 Account Name: 37384528-A1AE-49A0-8727-416BB4483769 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x547798 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16773	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-926434600-1235263918-1799432071-1765230772 Account Name: 37384528-A1AE-49A0-8727-416BB4483769 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5478E6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16772	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:33 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-926434600-1235263918-1799432071-1765230772 Account Name: 37384528-A1AE-49A0-8727-416BB4483769 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5478E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16771	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:33 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 37384528-A1AE-49A0-8727-416BB4483769 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16770	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:33 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-926434600-1235263918-1799432071-1765230772 Account Name: 37384528-A1AE-49A0-8727-416BB4483769 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54788D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16769	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-926434600-1235263918-1799432071-1765230772 Account Name: 37384528-A1AE-49A0-8727-416BB4483769 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54788D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16768	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:33 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-926434600-1235263918-1799432071-1765230772 Account Name: 37384528-A1AE-49A0-8727-416BB4483769 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54788D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16767	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:33 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 37384528-A1AE-49A0-8727-416BB4483769 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16766	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:33 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-926434600-1235263918-1799432071-1765230772 Account Name: 37384528-A1AE-49A0-8727-416BB4483769 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x547844 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16765	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-926434600-1235263918-1799432071-1765230772 Account Name: 37384528-A1AE-49A0-8727-416BB4483769 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x547844 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16764	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:33 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-926434600-1235263918-1799432071-1765230772 Account Name: 37384528-A1AE-49A0-8727-416BB4483769 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x547844 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16763	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:33 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 37384528-A1AE-49A0-8727-416BB4483769 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16762	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:33 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-926434600-1235263918-1799432071-1765230772 Account Name: 37384528-A1AE-49A0-8727-416BB4483769 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x547798 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16761	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-926434600-1235263918-1799432071-1765230772 Account Name: 37384528-A1AE-49A0-8727-416BB4483769 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x547798 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16760	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 37384528-A1AE-49A0-8727-416BB4483769 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16759	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x546515 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60194 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16758	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:20 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x546515 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16757	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:20 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-739475226-1266639299-2528721539-3853915209 Account Name: 2C137F1A-61C3-4B7F-833A-B9964914B6E5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53D0F4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16756	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-739475226-1266639299-2528721539-3853915209 Account Name: 2C137F1A-61C3-4B7F-833A-B9964914B6E5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x540C1F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16755	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:02 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-739475226-1266639299-2528721539-3853915209 Account Name: 2C137F1A-61C3-4B7F-833A-B9964914B6E5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x540C1F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16754	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:02 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-739475226-1266639299-2528721539-3853915209 Account Name: 2C137F1A-61C3-4B7F-833A-B9964914B6E5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x540C1F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16753	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:02 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2C137F1A-61C3-4B7F-833A-B9964914B6E5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16752	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:10:02 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-739475226-1266639299-2528721539-3853915209 Account Name: 2C137F1A-61C3-4B7F-833A-B9964914B6E5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53DDB6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16751	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:09:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-739475226-1266639299-2528721539-3853915209 Account Name: 2C137F1A-61C3-4B7F-833A-B9964914B6E5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53DDB6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16750	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:09:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-739475226-1266639299-2528721539-3853915209 Account Name: 2C137F1A-61C3-4B7F-833A-B9964914B6E5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53DDB6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16749	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:09:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2C137F1A-61C3-4B7F-833A-B9964914B6E5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16748	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:09:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-739475226-1266639299-2528721539-3853915209 Account Name: 2C137F1A-61C3-4B7F-833A-B9964914B6E5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53CF2B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16747	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:09:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-739475226-1266639299-2528721539-3853915209 Account Name: 2C137F1A-61C3-4B7F-833A-B9964914B6E5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53D0F4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16746	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:09:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-739475226-1266639299-2528721539-3853915209 Account Name: 2C137F1A-61C3-4B7F-833A-B9964914B6E5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53D0F4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16745	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:09:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2C137F1A-61C3-4B7F-833A-B9964914B6E5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16744	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:09:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-739475226-1266639299-2528721539-3853915209 Account Name: 2C137F1A-61C3-4B7F-833A-B9964914B6E5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53D09B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16743	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:09:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-739475226-1266639299-2528721539-3853915209 Account Name: 2C137F1A-61C3-4B7F-833A-B9964914B6E5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53D09B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16742	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:09:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-739475226-1266639299-2528721539-3853915209 Account Name: 2C137F1A-61C3-4B7F-833A-B9964914B6E5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53D09B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16741	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:09:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2C137F1A-61C3-4B7F-833A-B9964914B6E5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16740	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:09:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-739475226-1266639299-2528721539-3853915209 Account Name: 2C137F1A-61C3-4B7F-833A-B9964914B6E5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53D04B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16739	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:09:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-739475226-1266639299-2528721539-3853915209 Account Name: 2C137F1A-61C3-4B7F-833A-B9964914B6E5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53D04B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16738	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:09:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-739475226-1266639299-2528721539-3853915209 Account Name: 2C137F1A-61C3-4B7F-833A-B9964914B6E5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53D04B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16737	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:09:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2C137F1A-61C3-4B7F-833A-B9964914B6E5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16736	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:09:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-739475226-1266639299-2528721539-3853915209 Account Name: 2C137F1A-61C3-4B7F-833A-B9964914B6E5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53CF2B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16735	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:09:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-739475226-1266639299-2528721539-3853915209 Account Name: 2C137F1A-61C3-4B7F-833A-B9964914B6E5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53CF2B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16734	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:09:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2C137F1A-61C3-4B7F-833A-B9964914B6E5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16733	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3304	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:09:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2907184522-1332267009-1021605520-549349713 Account Name: AD481D8A-C801-4F68-9076-E43C5169BE20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52DDA4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16732	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	3860	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:09:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2907184522-1332267009-1021605520-549349713 Account Name: AD481D8A-C801-4F68-9076-E43C5169BE20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x531CD6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16731	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2907184522-1332267009-1021605520-549349713 Account Name: AD481D8A-C801-4F68-9076-E43C5169BE20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x531CD6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16730	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2907184522-1332267009-1021605520-549349713 Account Name: AD481D8A-C801-4F68-9076-E43C5169BE20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x531CD6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16729	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AD481D8A-C801-4F68-9076-E43C5169BE20 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16728	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2907184522-1332267009-1021605520-549349713 Account Name: AD481D8A-C801-4F68-9076-E43C5169BE20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52EAC4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16727	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2907184522-1332267009-1021605520-549349713 Account Name: AD481D8A-C801-4F68-9076-E43C5169BE20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52EAC4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16726	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2907184522-1332267009-1021605520-549349713 Account Name: AD481D8A-C801-4F68-9076-E43C5169BE20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52EAC4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16725	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AD481D8A-C801-4F68-9076-E43C5169BE20 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16724	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2907184522-1332267009-1021605520-549349713 Account Name: AD481D8A-C801-4F68-9076-E43C5169BE20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52DC5D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16723	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2907184522-1332267009-1021605520-549349713 Account Name: AD481D8A-C801-4F68-9076-E43C5169BE20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52DDA4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16722	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2907184522-1332267009-1021605520-549349713 Account Name: AD481D8A-C801-4F68-9076-E43C5169BE20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52DDA4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16721	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AD481D8A-C801-4F68-9076-E43C5169BE20 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16720	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2907184522-1332267009-1021605520-549349713 Account Name: AD481D8A-C801-4F68-9076-E43C5169BE20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52DD4B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16719	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2907184522-1332267009-1021605520-549349713 Account Name: AD481D8A-C801-4F68-9076-E43C5169BE20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52DD4B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16718	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2907184522-1332267009-1021605520-549349713 Account Name: AD481D8A-C801-4F68-9076-E43C5169BE20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52DD4B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16717	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AD481D8A-C801-4F68-9076-E43C5169BE20 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16716	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2907184522-1332267009-1021605520-549349713 Account Name: AD481D8A-C801-4F68-9076-E43C5169BE20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52DD02 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16715	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2907184522-1332267009-1021605520-549349713 Account Name: AD481D8A-C801-4F68-9076-E43C5169BE20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52DD02 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16714	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2907184522-1332267009-1021605520-549349713 Account Name: AD481D8A-C801-4F68-9076-E43C5169BE20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52DD02 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16713	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AD481D8A-C801-4F68-9076-E43C5169BE20 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16712	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2907184522-1332267009-1021605520-549349713 Account Name: AD481D8A-C801-4F68-9076-E43C5169BE20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52DC5D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16711	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:42 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2907184522-1332267009-1021605520-549349713 Account Name: AD481D8A-C801-4F68-9076-E43C5169BE20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52DC5D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16710	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:42 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AD481D8A-C801-4F68-9076-E43C5169BE20 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16709	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:42 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x526CB2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16708	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1424176675-1198940104-3680656527-298824640 Account Name: 54E33623-5FC8-4776-8F5C-62DBC0B3CF11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x523364 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16707	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1424176675-1198940104-3680656527-298824640 Account Name: 54E33623-5FC8-4776-8F5C-62DBC0B3CF11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52734E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16706	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:20 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1424176675-1198940104-3680656527-298824640 Account Name: 54E33623-5FC8-4776-8F5C-62DBC0B3CF11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52734E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16705	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:20 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1424176675-1198940104-3680656527-298824640 Account Name: 54E33623-5FC8-4776-8F5C-62DBC0B3CF11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52734E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16704	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:20 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 54E33623-5FC8-4776-8F5C-62DBC0B3CF11 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16703	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:20 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x526CB2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60175 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16702	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:19 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x526CB2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16701	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:19 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1424176675-1198940104-3680656527-298824640 Account Name: 54E33623-5FC8-4776-8F5C-62DBC0B3CF11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x524072 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16700	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1424176675-1198940104-3680656527-298824640 Account Name: 54E33623-5FC8-4776-8F5C-62DBC0B3CF11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x524072 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16699	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1424176675-1198940104-3680656527-298824640 Account Name: 54E33623-5FC8-4776-8F5C-62DBC0B3CF11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x524072 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16698	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 54E33623-5FC8-4776-8F5C-62DBC0B3CF11 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16697	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1424176675-1198940104-3680656527-298824640 Account Name: 54E33623-5FC8-4776-8F5C-62DBC0B3CF11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52319F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16696	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1424176675-1198940104-3680656527-298824640 Account Name: 54E33623-5FC8-4776-8F5C-62DBC0B3CF11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x523364 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16695	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1424176675-1198940104-3680656527-298824640 Account Name: 54E33623-5FC8-4776-8F5C-62DBC0B3CF11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x523364 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16694	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 54E33623-5FC8-4776-8F5C-62DBC0B3CF11 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16693	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1424176675-1198940104-3680656527-298824640 Account Name: 54E33623-5FC8-4776-8F5C-62DBC0B3CF11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x523295 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16692	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1424176675-1198940104-3680656527-298824640 Account Name: 54E33623-5FC8-4776-8F5C-62DBC0B3CF11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x523295 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16691	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1424176675-1198940104-3680656527-298824640 Account Name: 54E33623-5FC8-4776-8F5C-62DBC0B3CF11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x523295 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16690	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 54E33623-5FC8-4776-8F5C-62DBC0B3CF11 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16689	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1424176675-1198940104-3680656527-298824640 Account Name: 54E33623-5FC8-4776-8F5C-62DBC0B3CF11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52324A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16688	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1424176675-1198940104-3680656527-298824640 Account Name: 54E33623-5FC8-4776-8F5C-62DBC0B3CF11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52324A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16687	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1424176675-1198940104-3680656527-298824640 Account Name: 54E33623-5FC8-4776-8F5C-62DBC0B3CF11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52324A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16686	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 54E33623-5FC8-4776-8F5C-62DBC0B3CF11 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16685	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1424176675-1198940104-3680656527-298824640 Account Name: 54E33623-5FC8-4776-8F5C-62DBC0B3CF11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52319F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16684	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1424176675-1198940104-3680656527-298824640 Account Name: 54E33623-5FC8-4776-8F5C-62DBC0B3CF11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52319F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16683	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 54E33623-5FC8-4776-8F5C-62DBC0B3CF11 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16682	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:08:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-303402369-1117382604-3865644196-2335910352 Account Name: 12158D81-E7CC-4299-A40C-69E6D0293B8B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x515AF6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16681	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:07:34 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-303402369-1117382604-3865644196-2335910352 Account Name: 12158D81-E7CC-4299-A40C-69E6D0293B8B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x519CBE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16680	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:07:06 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-303402369-1117382604-3865644196-2335910352 Account Name: 12158D81-E7CC-4299-A40C-69E6D0293B8B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x519CBE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16679	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:07:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-303402369-1117382604-3865644196-2335910352 Account Name: 12158D81-E7CC-4299-A40C-69E6D0293B8B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x519CBE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16678	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:07:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 12158D81-E7CC-4299-A40C-69E6D0293B8B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16677	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:07:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-303402369-1117382604-3865644196-2335910352 Account Name: 12158D81-E7CC-4299-A40C-69E6D0293B8B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x516893 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16676	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:07:02 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-303402369-1117382604-3865644196-2335910352 Account Name: 12158D81-E7CC-4299-A40C-69E6D0293B8B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x516893 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16675	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:07:02 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-303402369-1117382604-3865644196-2335910352 Account Name: 12158D81-E7CC-4299-A40C-69E6D0293B8B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x516893 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16674	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:07:02 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 12158D81-E7CC-4299-A40C-69E6D0293B8B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16673	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:07:02 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-303402369-1117382604-3865644196-2335910352 Account Name: 12158D81-E7CC-4299-A40C-69E6D0293B8B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5159A7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16672	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:07:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-303402369-1117382604-3865644196-2335910352 Account Name: 12158D81-E7CC-4299-A40C-69E6D0293B8B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x515AF6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16671	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:07:01 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-303402369-1117382604-3865644196-2335910352 Account Name: 12158D81-E7CC-4299-A40C-69E6D0293B8B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x515AF6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16670	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:07:01 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 12158D81-E7CC-4299-A40C-69E6D0293B8B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16669	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:07:01 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-303402369-1117382604-3865644196-2335910352 Account Name: 12158D81-E7CC-4299-A40C-69E6D0293B8B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x515A9D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16668	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:07:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-303402369-1117382604-3865644196-2335910352 Account Name: 12158D81-E7CC-4299-A40C-69E6D0293B8B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x515A9D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16667	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:07:01 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-303402369-1117382604-3865644196-2335910352 Account Name: 12158D81-E7CC-4299-A40C-69E6D0293B8B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x515A9D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16666	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:07:01 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 12158D81-E7CC-4299-A40C-69E6D0293B8B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16665	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:07:01 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-303402369-1117382604-3865644196-2335910352 Account Name: 12158D81-E7CC-4299-A40C-69E6D0293B8B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x515A4D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16664	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:07:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-303402369-1117382604-3865644196-2335910352 Account Name: 12158D81-E7CC-4299-A40C-69E6D0293B8B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x515A4D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16663	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:07:01 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-303402369-1117382604-3865644196-2335910352 Account Name: 12158D81-E7CC-4299-A40C-69E6D0293B8B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x515A4D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16662	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:07:01 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 12158D81-E7CC-4299-A40C-69E6D0293B8B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16661	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:07:01 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-303402369-1117382604-3865644196-2335910352 Account Name: 12158D81-E7CC-4299-A40C-69E6D0293B8B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5159A7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16660	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:07:01 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-303402369-1117382604-3865644196-2335910352 Account Name: 12158D81-E7CC-4299-A40C-69E6D0293B8B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5159A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16659	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:07:01 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 12158D81-E7CC-4299-A40C-69E6D0293B8B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16658	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:07:01 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x51281F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16657	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:06:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x51281F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60163 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16656	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:06:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x51281F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16655	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:06:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x50C16C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16654	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:04:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x50C16C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60159 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16653	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:04:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x50C16C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16652	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:04:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2794392755-1093127873-2640006555-2880940785 Account Name: A68F0CB3-CEC1-4127-9B4D-5B9DF1AAB7AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FE574 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16651	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:03:24 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x4F7323 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16650	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:03:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2794392755-1093127873-2640006555-2880940785 Account Name: A68F0CB3-CEC1-4127-9B4D-5B9DF1AAB7AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x503663 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16649	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2794392755-1093127873-2640006555-2880940785 Account Name: A68F0CB3-CEC1-4127-9B4D-5B9DF1AAB7AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x503663 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16648	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2794392755-1093127873-2640006555-2880940785 Account Name: A68F0CB3-CEC1-4127-9B4D-5B9DF1AAB7AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x503663 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16647	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A68F0CB3-CEC1-4127-9B4D-5B9DF1AAB7AB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16646	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2794392755-1093127873-2640006555-2880940785 Account Name: A68F0CB3-CEC1-4127-9B4D-5B9DF1AAB7AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FF23A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16645	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2794392755-1093127873-2640006555-2880940785 Account Name: A68F0CB3-CEC1-4127-9B4D-5B9DF1AAB7AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FF23A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16644	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2794392755-1093127873-2640006555-2880940785 Account Name: A68F0CB3-CEC1-4127-9B4D-5B9DF1AAB7AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FF23A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16643	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A68F0CB3-CEC1-4127-9B4D-5B9DF1AAB7AB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16642	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2794392755-1093127873-2640006555-2880940785 Account Name: A68F0CB3-CEC1-4127-9B4D-5B9DF1AAB7AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FE428 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16641	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2794392755-1093127873-2640006555-2880940785 Account Name: A68F0CB3-CEC1-4127-9B4D-5B9DF1AAB7AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FE574 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16640	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2794392755-1093127873-2640006555-2880940785 Account Name: A68F0CB3-CEC1-4127-9B4D-5B9DF1AAB7AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FE574 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16639	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A68F0CB3-CEC1-4127-9B4D-5B9DF1AAB7AB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16638	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2794392755-1093127873-2640006555-2880940785 Account Name: A68F0CB3-CEC1-4127-9B4D-5B9DF1AAB7AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FE51B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16637	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2794392755-1093127873-2640006555-2880940785 Account Name: A68F0CB3-CEC1-4127-9B4D-5B9DF1AAB7AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FE51B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16636	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2794392755-1093127873-2640006555-2880940785 Account Name: A68F0CB3-CEC1-4127-9B4D-5B9DF1AAB7AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FE51B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16635	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A68F0CB3-CEC1-4127-9B4D-5B9DF1AAB7AB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16634	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2794392755-1093127873-2640006555-2880940785 Account Name: A68F0CB3-CEC1-4127-9B4D-5B9DF1AAB7AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FE4D2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16633	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2794392755-1093127873-2640006555-2880940785 Account Name: A68F0CB3-CEC1-4127-9B4D-5B9DF1AAB7AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FE4D2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16632	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2794392755-1093127873-2640006555-2880940785 Account Name: A68F0CB3-CEC1-4127-9B4D-5B9DF1AAB7AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FE4D2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16631	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A68F0CB3-CEC1-4127-9B4D-5B9DF1AAB7AB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16630	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2794392755-1093127873-2640006555-2880940785 Account Name: A68F0CB3-CEC1-4127-9B4D-5B9DF1AAB7AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FE428 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16629	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2794392755-1093127873-2640006555-2880940785 Account Name: A68F0CB3-CEC1-4127-9B4D-5B9DF1AAB7AB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FE428 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16628	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A68F0CB3-CEC1-4127-9B4D-5B9DF1AAB7AB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16627	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1977002604-1098095947-2499118480-469839124 Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DE93E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16626	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1977002604-1098095947-2499118480-469839124 Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F8FDF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16625	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:29 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1977002604-1098095947-2499118480-469839124 Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F8FDF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16624	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:29 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1977002604-1098095947-2499118480-469839124 Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F8FDF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16623	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:29 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16622	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:29 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x4F7323 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60148 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16621	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x4F7323 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16620	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:02:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x4E4519 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16619	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:01:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2577020510-1176106665-642683311-1317884826 Account Name: 999A365E-F6A9-4619-AF91-4E269A538D4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E5875 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16618	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:01:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2577020510-1176106665-642683311-1317884826 Account Name: 999A365E-F6A9-4619-AF91-4E269A538D4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EABF2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16617	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2577020510-1176106665-642683311-1317884826 Account Name: 999A365E-F6A9-4619-AF91-4E269A538D4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EABF2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16616	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2577020510-1176106665-642683311-1317884826 Account Name: 999A365E-F6A9-4619-AF91-4E269A538D4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EABF2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16615	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 999A365E-F6A9-4619-AF91-4E269A538D4E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16614	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2577020510-1176106665-642683311-1317884826 Account Name: 999A365E-F6A9-4619-AF91-4E269A538D4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E77F6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16613	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2577020510-1176106665-642683311-1317884826 Account Name: 999A365E-F6A9-4619-AF91-4E269A538D4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E77F6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16612	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2577020510-1176106665-642683311-1317884826 Account Name: 999A365E-F6A9-4619-AF91-4E269A538D4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E77F6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16611	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 999A365E-F6A9-4619-AF91-4E269A538D4E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16610	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2577020510-1176106665-642683311-1317884826 Account Name: 999A365E-F6A9-4619-AF91-4E269A538D4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E571B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16609	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2577020510-1176106665-642683311-1317884826 Account Name: 999A365E-F6A9-4619-AF91-4E269A538D4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E5875 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16608	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2577020510-1176106665-642683311-1317884826 Account Name: 999A365E-F6A9-4619-AF91-4E269A538D4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E5875 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16607	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 999A365E-F6A9-4619-AF91-4E269A538D4E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16606	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2577020510-1176106665-642683311-1317884826 Account Name: 999A365E-F6A9-4619-AF91-4E269A538D4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E581C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16605	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2577020510-1176106665-642683311-1317884826 Account Name: 999A365E-F6A9-4619-AF91-4E269A538D4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E581C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16604	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2577020510-1176106665-642683311-1317884826 Account Name: 999A365E-F6A9-4619-AF91-4E269A538D4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E581C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16603	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 999A365E-F6A9-4619-AF91-4E269A538D4E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16602	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2577020510-1176106665-642683311-1317884826 Account Name: 999A365E-F6A9-4619-AF91-4E269A538D4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E57D2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16601	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2577020510-1176106665-642683311-1317884826 Account Name: 999A365E-F6A9-4619-AF91-4E269A538D4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E57D2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16600	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2577020510-1176106665-642683311-1317884826 Account Name: 999A365E-F6A9-4619-AF91-4E269A538D4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E57D2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16599	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 999A365E-F6A9-4619-AF91-4E269A538D4E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16598	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2577020510-1176106665-642683311-1317884826 Account Name: 999A365E-F6A9-4619-AF91-4E269A538D4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E571B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16597	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2577020510-1176106665-642683311-1317884826 Account Name: 999A365E-F6A9-4619-AF91-4E269A538D4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E571B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16596	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 999A365E-F6A9-4619-AF91-4E269A538D4E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16595	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x4E4519 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60124 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16594	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x4E4519 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16593	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1977002604-1098095947-2499118480-469839124 Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E2D52 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16592	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1977002604-1098095947-2499118480-469839124 Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E2D52 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16591	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1977002604-1098095947-2499118480-469839124 Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E2D52 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16590	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16589	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1977002604-1098095947-2499118480-469839124 Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DF691 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16588	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1977002604-1098095947-2499118480-469839124 Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DF691 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16587	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1977002604-1098095947-2499118480-469839124 Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DF691 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16586	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16585	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1977002604-1098095947-2499118480-469839124 Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DE7E8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16584	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1977002604-1098095947-2499118480-469839124 Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DE93E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16583	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1977002604-1098095947-2499118480-469839124 Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DE93E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16582	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16581	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1977002604-1098095947-2499118480-469839124 Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DE8DF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16580	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1977002604-1098095947-2499118480-469839124 Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DE8DF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16579	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1977002604-1098095947-2499118480-469839124 Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DE8DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16578	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16577	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1977002604-1098095947-2499118480-469839124 Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DE895 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16576	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1977002604-1098095947-2499118480-469839124 Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DE895 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16575	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1977002604-1098095947-2499118480-469839124 Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DE895 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16574	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16573	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1977002604-1098095947-2499118480-469839124 Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DE7E8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16572	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1977002604-1098095947-2499118480-469839124 Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DE7E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16571	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 75D6AA6C-9D4B-4173-9085-F594142D011C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16570	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 7:00:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1009230999-1309921055-897274758-1279501077 Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45FF28 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16569	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:59:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x4CE468 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16568	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:58:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3811640784-1282400643-4270237108-2169200956 Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B5988 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16567	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:58:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3811640784-1282400643-4270237108-2169200956 Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CFD96 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16566	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:58:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3811640784-1282400643-4270237108-2169200956 Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CFD96 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16565	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:58:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3811640784-1282400643-4270237108-2169200956 Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CFD96 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16564	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:58:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16563	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:58:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x4CE468 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60101 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16562	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:58:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x4CE468 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16561	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:58:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x4B750D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16560	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:57:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1171455050-1127320578-947900302-2437097129 Account Name: 45D2FC4A-8C02-4331-8ECF-7F38A9264391 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BC8BD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16559	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1171455050-1127320578-947900302-2437097129 Account Name: 45D2FC4A-8C02-4331-8ECF-7F38A9264391 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C0EC1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16558	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1171455050-1127320578-947900302-2437097129 Account Name: 45D2FC4A-8C02-4331-8ECF-7F38A9264391 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C0EC1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16557	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:33 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1171455050-1127320578-947900302-2437097129 Account Name: 45D2FC4A-8C02-4331-8ECF-7F38A9264391 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C0EC1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16556	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:33 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 45D2FC4A-8C02-4331-8ECF-7F38A9264391 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16555	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:33 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1171455050-1127320578-947900302-2437097129 Account Name: 45D2FC4A-8C02-4331-8ECF-7F38A9264391 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BD681 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16554	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1171455050-1127320578-947900302-2437097129 Account Name: 45D2FC4A-8C02-4331-8ECF-7F38A9264391 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BD681 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16553	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1171455050-1127320578-947900302-2437097129 Account Name: 45D2FC4A-8C02-4331-8ECF-7F38A9264391 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BD681 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16552	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 45D2FC4A-8C02-4331-8ECF-7F38A9264391 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16551	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1171455050-1127320578-947900302-2437097129 Account Name: 45D2FC4A-8C02-4331-8ECF-7F38A9264391 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BC75E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16550	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1171455050-1127320578-947900302-2437097129 Account Name: 45D2FC4A-8C02-4331-8ECF-7F38A9264391 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BC8BD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16549	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1171455050-1127320578-947900302-2437097129 Account Name: 45D2FC4A-8C02-4331-8ECF-7F38A9264391 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BC8BD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16548	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 45D2FC4A-8C02-4331-8ECF-7F38A9264391 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16547	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1171455050-1127320578-947900302-2437097129 Account Name: 45D2FC4A-8C02-4331-8ECF-7F38A9264391 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BC85D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16546	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1171455050-1127320578-947900302-2437097129 Account Name: 45D2FC4A-8C02-4331-8ECF-7F38A9264391 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BC85D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16545	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1171455050-1127320578-947900302-2437097129 Account Name: 45D2FC4A-8C02-4331-8ECF-7F38A9264391 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BC85D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16544	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 45D2FC4A-8C02-4331-8ECF-7F38A9264391 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16543	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1171455050-1127320578-947900302-2437097129 Account Name: 45D2FC4A-8C02-4331-8ECF-7F38A9264391 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BC80A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16542	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1171455050-1127320578-947900302-2437097129 Account Name: 45D2FC4A-8C02-4331-8ECF-7F38A9264391 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BC80A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16541	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1171455050-1127320578-947900302-2437097129 Account Name: 45D2FC4A-8C02-4331-8ECF-7F38A9264391 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BC80A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16540	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 45D2FC4A-8C02-4331-8ECF-7F38A9264391 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16539	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1171455050-1127320578-947900302-2437097129 Account Name: 45D2FC4A-8C02-4331-8ECF-7F38A9264391 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BC75E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16538	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1171455050-1127320578-947900302-2437097129 Account Name: 45D2FC4A-8C02-4331-8ECF-7F38A9264391 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BC75E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16537	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 45D2FC4A-8C02-4331-8ECF-7F38A9264391 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16536	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3811640784-1282400643-4270237108-2169200956 Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BA00F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16535	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3811640784-1282400643-4270237108-2169200956 Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BA00F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16534	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3811640784-1282400643-4270237108-2169200956 Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4BA00F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16533	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16532	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x4B750D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60092 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16531	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x4B750D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16530	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3811640784-1282400643-4270237108-2169200956 Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B673E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16529	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3811640784-1282400643-4270237108-2169200956 Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B673E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16528	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3811640784-1282400643-4270237108-2169200956 Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B673E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16527	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16526	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3811640784-1282400643-4270237108-2169200956 Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B582F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16525	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3811640784-1282400643-4270237108-2169200956 Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B5988 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16524	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3811640784-1282400643-4270237108-2169200956 Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B5988 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16523	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16522	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3811640784-1282400643-4270237108-2169200956 Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B592D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16521	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3811640784-1282400643-4270237108-2169200956 Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B592D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16520	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3811640784-1282400643-4270237108-2169200956 Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B592D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16519	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16518	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3811640784-1282400643-4270237108-2169200956 Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B58DA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16517	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3811640784-1282400643-4270237108-2169200956 Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B58DA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16516	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3811640784-1282400643-4270237108-2169200956 Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B58DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16515	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16514	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3811640784-1282400643-4270237108-2169200956 Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B582F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16513	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3811640784-1282400643-4270237108-2169200956 Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B582F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16512	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E33105D0-E183-4C6F-B4A5-86FE3C614B81 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16511	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:56:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x4A6118 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16510	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:55:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2401283411-1113841147-3042544561-2517289835 Account Name: 8F20AD53-DDFB-4263-B18B-59B56BCB0A96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A4A5C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16509	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2401283411-1113841147-3042544561-2517289835 Account Name: 8F20AD53-DDFB-4263-B18B-59B56BCB0A96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A8E44 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16508	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2401283411-1113841147-3042544561-2517289835 Account Name: 8F20AD53-DDFB-4263-B18B-59B56BCB0A96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A8E44 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16507	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:19 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2401283411-1113841147-3042544561-2517289835 Account Name: 8F20AD53-DDFB-4263-B18B-59B56BCB0A96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A8E44 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16506	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:19 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8F20AD53-DDFB-4263-B18B-59B56BCB0A96 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16505	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:19 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x4A6118 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60082 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16504	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x4A6118 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16503	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2401283411-1113841147-3042544561-2517289835 Account Name: 8F20AD53-DDFB-4263-B18B-59B56BCB0A96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A57E5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16502	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2401283411-1113841147-3042544561-2517289835 Account Name: 8F20AD53-DDFB-4263-B18B-59B56BCB0A96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A57E5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16501	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2401283411-1113841147-3042544561-2517289835 Account Name: 8F20AD53-DDFB-4263-B18B-59B56BCB0A96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A57E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16500	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8F20AD53-DDFB-4263-B18B-59B56BCB0A96 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16499	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2401283411-1113841147-3042544561-2517289835 Account Name: 8F20AD53-DDFB-4263-B18B-59B56BCB0A96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A490E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16498	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2401283411-1113841147-3042544561-2517289835 Account Name: 8F20AD53-DDFB-4263-B18B-59B56BCB0A96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A4A5C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16497	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2401283411-1113841147-3042544561-2517289835 Account Name: 8F20AD53-DDFB-4263-B18B-59B56BCB0A96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A4A5C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16496	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8F20AD53-DDFB-4263-B18B-59B56BCB0A96 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16495	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2401283411-1113841147-3042544561-2517289835 Account Name: 8F20AD53-DDFB-4263-B18B-59B56BCB0A96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A4A03 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16494	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2401283411-1113841147-3042544561-2517289835 Account Name: 8F20AD53-DDFB-4263-B18B-59B56BCB0A96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A4A03 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16493	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2401283411-1113841147-3042544561-2517289835 Account Name: 8F20AD53-DDFB-4263-B18B-59B56BCB0A96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A4A03 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16492	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8F20AD53-DDFB-4263-B18B-59B56BCB0A96 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16491	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2401283411-1113841147-3042544561-2517289835 Account Name: 8F20AD53-DDFB-4263-B18B-59B56BCB0A96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A49BA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16490	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2401283411-1113841147-3042544561-2517289835 Account Name: 8F20AD53-DDFB-4263-B18B-59B56BCB0A96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A49BA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16489	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2401283411-1113841147-3042544561-2517289835 Account Name: 8F20AD53-DDFB-4263-B18B-59B56BCB0A96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A49BA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16488	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8F20AD53-DDFB-4263-B18B-59B56BCB0A96 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16487	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2401283411-1113841147-3042544561-2517289835 Account Name: 8F20AD53-DDFB-4263-B18B-59B56BCB0A96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A490E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16486	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2401283411-1113841147-3042544561-2517289835 Account Name: 8F20AD53-DDFB-4263-B18B-59B56BCB0A96 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A490E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16485	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8F20AD53-DDFB-4263-B18B-59B56BCB0A96 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16484	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:54:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-684320343-1176687618-457173639-3332630736 Account Name: 28C9E657-D402-4622-87EA-3F1BD0E8A3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4988F2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16483	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:53:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-684320343-1176687618-457173639-3332630736 Account Name: 28C9E657-D402-4622-87EA-3F1BD0E8A3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49D887 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16482	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:53:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-684320343-1176687618-457173639-3332630736 Account Name: 28C9E657-D402-4622-87EA-3F1BD0E8A3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49D887 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16481	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:53:53 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-684320343-1176687618-457173639-3332630736 Account Name: 28C9E657-D402-4622-87EA-3F1BD0E8A3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49D887 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16480	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:53:53 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 28C9E657-D402-4622-87EA-3F1BD0E8A3C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16479	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:53:53 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-684320343-1176687618-457173639-3332630736 Account Name: 28C9E657-D402-4622-87EA-3F1BD0E8A3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4996B4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16478	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:53:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-684320343-1176687618-457173639-3332630736 Account Name: 28C9E657-D402-4622-87EA-3F1BD0E8A3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4996B4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16477	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:53:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-684320343-1176687618-457173639-3332630736 Account Name: 28C9E657-D402-4622-87EA-3F1BD0E8A3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4996B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16476	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:53:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 28C9E657-D402-4622-87EA-3F1BD0E8A3C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16475	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:53:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-684320343-1176687618-457173639-3332630736 Account Name: 28C9E657-D402-4622-87EA-3F1BD0E8A3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49879C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16474	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:53:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-684320343-1176687618-457173639-3332630736 Account Name: 28C9E657-D402-4622-87EA-3F1BD0E8A3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4988F2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16473	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:53:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-684320343-1176687618-457173639-3332630736 Account Name: 28C9E657-D402-4622-87EA-3F1BD0E8A3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4988F2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16472	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:53:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 28C9E657-D402-4622-87EA-3F1BD0E8A3C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16471	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:53:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-684320343-1176687618-457173639-3332630736 Account Name: 28C9E657-D402-4622-87EA-3F1BD0E8A3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x498899 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16470	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:53:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-684320343-1176687618-457173639-3332630736 Account Name: 28C9E657-D402-4622-87EA-3F1BD0E8A3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x498899 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16469	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:53:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-684320343-1176687618-457173639-3332630736 Account Name: 28C9E657-D402-4622-87EA-3F1BD0E8A3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x498899 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16468	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:53:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 28C9E657-D402-4622-87EA-3F1BD0E8A3C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16467	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:53:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-684320343-1176687618-457173639-3332630736 Account Name: 28C9E657-D402-4622-87EA-3F1BD0E8A3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x498849 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16466	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:53:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-684320343-1176687618-457173639-3332630736 Account Name: 28C9E657-D402-4622-87EA-3F1BD0E8A3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x498849 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16465	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:53:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-684320343-1176687618-457173639-3332630736 Account Name: 28C9E657-D402-4622-87EA-3F1BD0E8A3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x498849 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16464	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:53:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 28C9E657-D402-4622-87EA-3F1BD0E8A3C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16463	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:53:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-684320343-1176687618-457173639-3332630736 Account Name: 28C9E657-D402-4622-87EA-3F1BD0E8A3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49879C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16462	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:53:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-684320343-1176687618-457173639-3332630736 Account Name: 28C9E657-D402-4622-87EA-3F1BD0E8A3C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49879C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16461	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:53:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 28C9E657-D402-4622-87EA-3F1BD0E8A3C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16460	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:53:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x4931A9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16459	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:52:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x4931A9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60062 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16458	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:52:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x4931A9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16457	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:52:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-173046081-1084070043-2205811093-1228327550 Account Name: 0A507941-989B-409D-9501-7A837ECA3649 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4892E8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16456	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:52:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-173046081-1084070043-2205811093-1228327550 Account Name: 0A507941-989B-409D-9501-7A837ECA3649 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48D6FC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16455	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-173046081-1084070043-2205811093-1228327550 Account Name: 0A507941-989B-409D-9501-7A837ECA3649 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48D6FC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16454	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-173046081-1084070043-2205811093-1228327550 Account Name: 0A507941-989B-409D-9501-7A837ECA3649 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48D6FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16453	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A507941-989B-409D-9501-7A837ECA3649 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16452	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-173046081-1084070043-2205811093-1228327550 Account Name: 0A507941-989B-409D-9501-7A837ECA3649 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48A07C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16451	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-173046081-1084070043-2205811093-1228327550 Account Name: 0A507941-989B-409D-9501-7A837ECA3649 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48A07C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16450	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-173046081-1084070043-2205811093-1228327550 Account Name: 0A507941-989B-409D-9501-7A837ECA3649 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48A07C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16449	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A507941-989B-409D-9501-7A837ECA3649 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16448	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-173046081-1084070043-2205811093-1228327550 Account Name: 0A507941-989B-409D-9501-7A837ECA3649 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48918F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16447	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-173046081-1084070043-2205811093-1228327550 Account Name: 0A507941-989B-409D-9501-7A837ECA3649 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4892E8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16446	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-173046081-1084070043-2205811093-1228327550 Account Name: 0A507941-989B-409D-9501-7A837ECA3649 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4892E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16445	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A507941-989B-409D-9501-7A837ECA3649 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16444	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-173046081-1084070043-2205811093-1228327550 Account Name: 0A507941-989B-409D-9501-7A837ECA3649 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48928F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16443	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-173046081-1084070043-2205811093-1228327550 Account Name: 0A507941-989B-409D-9501-7A837ECA3649 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48928F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16442	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-173046081-1084070043-2205811093-1228327550 Account Name: 0A507941-989B-409D-9501-7A837ECA3649 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48928F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16441	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A507941-989B-409D-9501-7A837ECA3649 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16440	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-173046081-1084070043-2205811093-1228327550 Account Name: 0A507941-989B-409D-9501-7A837ECA3649 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48923C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16439	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-173046081-1084070043-2205811093-1228327550 Account Name: 0A507941-989B-409D-9501-7A837ECA3649 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48923C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16438	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-173046081-1084070043-2205811093-1228327550 Account Name: 0A507941-989B-409D-9501-7A837ECA3649 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48923C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16437	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A507941-989B-409D-9501-7A837ECA3649 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16436	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-173046081-1084070043-2205811093-1228327550 Account Name: 0A507941-989B-409D-9501-7A837ECA3649 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48918F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16435	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-173046081-1084070043-2205811093-1228327550 Account Name: 0A507941-989B-409D-9501-7A837ECA3649 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48918F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16434	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A507941-989B-409D-9501-7A837ECA3649 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16433	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1009230999-1309921055-897274758-1279501077 Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x483BFC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16432	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:21 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1009230999-1309921055-897274758-1279501077 Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x483BFC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16431	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1009230999-1309921055-897274758-1279501077 Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x483BFC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16430	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16429	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4281081352-1211888024-1721345160-2672954125 Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x456CDF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16428	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x45CFED Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16427	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1009230999-1309921055-897274758-1279501077 Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4702F7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16426	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:00 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1009230999-1309921055-897274758-1279501077 Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4702F7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16425	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:00 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1009230999-1309921055-897274758-1279501077 Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4702F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16424	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:00 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16423	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:51:00 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16422	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16421	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1009230999-1309921055-897274758-1279501077 Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46524D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16420	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1009230999-1309921055-897274758-1279501077 Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46524D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16419	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1009230999-1309921055-897274758-1279501077 Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46524D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16418	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16417	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4281081352-1211888024-1721345160-2672954125 Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x463DFC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16416	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4281081352-1211888024-1721345160-2672954125 Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x463DFC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16415	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4281081352-1211888024-1721345160-2672954125 Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x463DFC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16414	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16413	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1009230999-1309921055-897274758-1279501077 Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x462722 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16412	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1009230999-1309921055-897274758-1279501077 Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x462722 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16411	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:49 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1009230999-1309921055-897274758-1279501077 Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x462722 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16410	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:49 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16409	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:49 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1009230999-1309921055-897274758-1279501077 Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45FDC8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16408	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:44 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1009230999-1309921055-897274758-1279501077 Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45FF28 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16407	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1009230999-1309921055-897274758-1279501077 Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45FF28 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16406	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16405	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1009230999-1309921055-897274758-1279501077 Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45FECF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16404	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:44 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1009230999-1309921055-897274758-1279501077 Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45FECF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16403	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1009230999-1309921055-897274758-1279501077 Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45FECF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16402	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16401	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1009230999-1309921055-897274758-1279501077 Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45FE85 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16400	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:44 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1009230999-1309921055-897274758-1279501077 Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45FE85 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16399	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1009230999-1309921055-897274758-1279501077 Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45FE85 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16398	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16397	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1009230999-1309921055-897274758-1279501077 Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45FDC8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16396	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1009230999-1309921055-897274758-1279501077 Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45FDC8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16395	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3C27A497-CF1F-4E13-8653-7B3515A3434C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16394	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x45CFED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60042 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16393	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x45CFED Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16392	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4281081352-1211888024-1721345160-2672954125 Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45B547 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16391	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:02 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4281081352-1211888024-1721345160-2672954125 Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45B547 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16390	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:02 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4281081352-1211888024-1721345160-2672954125 Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45B547 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16389	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:02 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16388	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:50:02 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4281081352-1211888024-1721345160-2672954125 Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x457996 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16387	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4281081352-1211888024-1721345160-2672954125 Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x457996 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16386	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4281081352-1211888024-1721345160-2672954125 Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x457996 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16385	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16384	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4281081352-1211888024-1721345160-2672954125 Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x456B91 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16383	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4281081352-1211888024-1721345160-2672954125 Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x456CDF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16382	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4281081352-1211888024-1721345160-2672954125 Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x456CDF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16381	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16380	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4281081352-1211888024-1721345160-2672954125 Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x456C86 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16379	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4281081352-1211888024-1721345160-2672954125 Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x456C86 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16378	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4281081352-1211888024-1721345160-2672954125 Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x456C86 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16377	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16376	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4281081352-1211888024-1721345160-2672954125 Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x456C3D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16375	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4281081352-1211888024-1721345160-2672954125 Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x456C3D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16374	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4281081352-1211888024-1721345160-2672954125 Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x456C3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16373	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16372	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4281081352-1211888024-1721345160-2672954125 Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x456B91 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16371	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4281081352-1211888024-1721345160-2672954125 Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x456B91 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16370	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FF2C1E08-F198-483B-88A4-99660D0B529F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16369	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x43A49E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16368	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-384874423-1226211531-343463042-325363743 Account Name: 16F0B7B7-80CB-4916-82D4-78141FA86413 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44B372 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16367	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-384874423-1226211531-343463042-325363743 Account Name: 16F0B7B7-80CB-4916-82D4-78141FA86413 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4504E7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16366	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-384874423-1226211531-343463042-325363743 Account Name: 16F0B7B7-80CB-4916-82D4-78141FA86413 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4504E7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16365	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-384874423-1226211531-343463042-325363743 Account Name: 16F0B7B7-80CB-4916-82D4-78141FA86413 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4504E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16364	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 16F0B7B7-80CB-4916-82D4-78141FA86413 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16363	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-384874423-1226211531-343463042-325363743 Account Name: 16F0B7B7-80CB-4916-82D4-78141FA86413 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44C067 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16362	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-384874423-1226211531-343463042-325363743 Account Name: 16F0B7B7-80CB-4916-82D4-78141FA86413 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44C067 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16361	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-384874423-1226211531-343463042-325363743 Account Name: 16F0B7B7-80CB-4916-82D4-78141FA86413 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44C067 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16360	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 16F0B7B7-80CB-4916-82D4-78141FA86413 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16359	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-384874423-1226211531-343463042-325363743 Account Name: 16F0B7B7-80CB-4916-82D4-78141FA86413 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44B223 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16358	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-384874423-1226211531-343463042-325363743 Account Name: 16F0B7B7-80CB-4916-82D4-78141FA86413 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44B372 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16357	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-384874423-1226211531-343463042-325363743 Account Name: 16F0B7B7-80CB-4916-82D4-78141FA86413 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44B372 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16356	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 16F0B7B7-80CB-4916-82D4-78141FA86413 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16355	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-384874423-1226211531-343463042-325363743 Account Name: 16F0B7B7-80CB-4916-82D4-78141FA86413 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44B319 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16354	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-384874423-1226211531-343463042-325363743 Account Name: 16F0B7B7-80CB-4916-82D4-78141FA86413 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44B319 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16353	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-384874423-1226211531-343463042-325363743 Account Name: 16F0B7B7-80CB-4916-82D4-78141FA86413 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44B319 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16352	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 16F0B7B7-80CB-4916-82D4-78141FA86413 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16351	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-384874423-1226211531-343463042-325363743 Account Name: 16F0B7B7-80CB-4916-82D4-78141FA86413 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44B2C9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16350	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-384874423-1226211531-343463042-325363743 Account Name: 16F0B7B7-80CB-4916-82D4-78141FA86413 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44B2C9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16349	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-384874423-1226211531-343463042-325363743 Account Name: 16F0B7B7-80CB-4916-82D4-78141FA86413 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44B2C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16348	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 16F0B7B7-80CB-4916-82D4-78141FA86413 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16347	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-384874423-1226211531-343463042-325363743 Account Name: 16F0B7B7-80CB-4916-82D4-78141FA86413 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44B223 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16346	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-384874423-1226211531-343463042-325363743 Account Name: 16F0B7B7-80CB-4916-82D4-78141FA86413 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44B223 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16345	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 16F0B7B7-80CB-4916-82D4-78141FA86413 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16344	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:49:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4205603894-1135335950-2070722726-2128992013 Account Name: FAAC6C36-DA0E-43AB-A6B8-6C7B0DD7E57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374E08 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16343	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:48:44 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1246871638-1255211266-1468967341-3537565419 Account Name: 4A51C056-0102-4AD1-ADA9-8E57EBF6DAD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AE236 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16342	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:48:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1945037035-1116216451-1892253363-3457174976 Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43395A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16341	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:48:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1945037035-1116216451-1892253363-3457174976 Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43A419 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16340	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:48:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1945037035-1116216451-1892253363-3457174976 Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43A419 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16339	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:48:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1945037035-1116216451-1892253363-3457174976 Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43A419 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16338	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:48:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16337	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:48:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x43A49E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 60026 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16336	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:48:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x43A49E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16335	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:48:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1945037035-1116216451-1892253363-3457174976 Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4379B2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16334	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:48:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1945037035-1116216451-1892253363-3457174976 Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4379B2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16333	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:48:04 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1945037035-1116216451-1892253363-3457174976 Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4379B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16332	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:48:04 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16331	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:48:04 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1945037035-1116216451-1892253363-3457174976 Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x434681 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16330	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1945037035-1116216451-1892253363-3457174976 Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x434681 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16329	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1945037035-1116216451-1892253363-3457174976 Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x434681 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16328	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16327	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1945037035-1116216451-1892253363-3457174976 Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x433801 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16326	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1945037035-1116216451-1892253363-3457174976 Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43395A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16325	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1945037035-1116216451-1892253363-3457174976 Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43395A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16324	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16323	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1945037035-1116216451-1892253363-3457174976 Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4338FA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16322	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1945037035-1116216451-1892253363-3457174976 Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4338FA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16321	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1945037035-1116216451-1892253363-3457174976 Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4338FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16320	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16319	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1945037035-1116216451-1892253363-3457174976 Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4338B1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16318	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1945037035-1116216451-1892253363-3457174976 Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4338B1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16317	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1945037035-1116216451-1892253363-3457174976 Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4338B1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16316	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16315	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1945037035-1116216451-1892253363-3457174976 Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x433801 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16314	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1945037035-1116216451-1892253363-3457174976 Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x433801 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16313	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 73EEE8EB-1C83-4288-B37E-C970C04D10CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16312	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2142450545-1257745881-562125503-116373878 Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x424602 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16311	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2142450545-1257745881-562125503-116373878 Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42DBAB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16310	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2142450545-1257745881-562125503-116373878 Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42DBAB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16309	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2142450545-1257745881-562125503-116373878 Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42DBAB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16308	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16307	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2142450545-1257745881-562125503-116373878 Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x428BC8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16306	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2142450545-1257745881-562125503-116373878 Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x428BC8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16305	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2142450545-1257745881-562125503-116373878 Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x428BC8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16304	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16303	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2142450545-1257745881-562125503-116373878 Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42533B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16302	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2142450545-1257745881-562125503-116373878 Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42533B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16301	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2142450545-1257745881-562125503-116373878 Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42533B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16300	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16299	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2142450545-1257745881-562125503-116373878 Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4244AF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16298	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:09 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2142450545-1257745881-562125503-116373878 Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x424602 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16297	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2142450545-1257745881-562125503-116373878 Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x424602 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16296	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16295	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2142450545-1257745881-562125503-116373878 Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4245A9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16294	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:09 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2142450545-1257745881-562125503-116373878 Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4245A9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16293	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2142450545-1257745881-562125503-116373878 Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4245A9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16292	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16291	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2142450545-1257745881-562125503-116373878 Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x424560 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16290	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:09 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2142450545-1257745881-562125503-116373878 Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x424560 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16289	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2142450545-1257745881-562125503-116373878 Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x424560 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16288	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16287	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2142450545-1257745881-562125503-116373878 Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4244AF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16286	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2142450545-1257745881-562125503-116373878 Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4244AF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16285	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7FB33371-ADD9-4AF7-BF5A-812176B9EF06 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16284	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:47:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-294373098-1312218351-1598586552-759871776 Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A90DB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16283	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3471536788-1100013662-2759161265-705340750 Account Name: CEEB7294-E05E-4190-B175-75A44EA50A2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F2CDC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16282	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:42 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x3F153B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16281	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-858066278-1191739594-1644765873-3468770795 Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BF063 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16280	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3471536788-1100013662-2759161265-705340750 Account Name: CEEB7294-E05E-4190-B175-75A44EA50A2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FCE36 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16279	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3471536788-1100013662-2759161265-705340750 Account Name: CEEB7294-E05E-4190-B175-75A44EA50A2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FCE36 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16278	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3471536788-1100013662-2759161265-705340750 Account Name: CEEB7294-E05E-4190-B175-75A44EA50A2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FCE36 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16277	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CEEB7294-E05E-4190-B175-75A44EA50A2A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16276	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3471536788-1100013662-2759161265-705340750 Account Name: CEEB7294-E05E-4190-B175-75A44EA50A2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F3ED7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16275	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3471536788-1100013662-2759161265-705340750 Account Name: CEEB7294-E05E-4190-B175-75A44EA50A2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F3ED7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16274	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3471536788-1100013662-2759161265-705340750 Account Name: CEEB7294-E05E-4190-B175-75A44EA50A2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F3ED7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16273	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CEEB7294-E05E-4190-B175-75A44EA50A2A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16272	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3471536788-1100013662-2759161265-705340750 Account Name: CEEB7294-E05E-4190-B175-75A44EA50A2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F2A5B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16271	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3471536788-1100013662-2759161265-705340750 Account Name: CEEB7294-E05E-4190-B175-75A44EA50A2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F2CDC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16270	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3471536788-1100013662-2759161265-705340750 Account Name: CEEB7294-E05E-4190-B175-75A44EA50A2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F2CDC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16269	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CEEB7294-E05E-4190-B175-75A44EA50A2A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16268	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3471536788-1100013662-2759161265-705340750 Account Name: CEEB7294-E05E-4190-B175-75A44EA50A2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F2C17 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16267	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3471536788-1100013662-2759161265-705340750 Account Name: CEEB7294-E05E-4190-B175-75A44EA50A2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F2C17 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16266	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3471536788-1100013662-2759161265-705340750 Account Name: CEEB7294-E05E-4190-B175-75A44EA50A2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F2C17 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16265	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CEEB7294-E05E-4190-B175-75A44EA50A2A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16264	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3471536788-1100013662-2759161265-705340750 Account Name: CEEB7294-E05E-4190-B175-75A44EA50A2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F2B74 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16263	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3471536788-1100013662-2759161265-705340750 Account Name: CEEB7294-E05E-4190-B175-75A44EA50A2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F2B74 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16262	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3471536788-1100013662-2759161265-705340750 Account Name: CEEB7294-E05E-4190-B175-75A44EA50A2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F2B74 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16261	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CEEB7294-E05E-4190-B175-75A44EA50A2A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16260	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3471536788-1100013662-2759161265-705340750 Account Name: CEEB7294-E05E-4190-B175-75A44EA50A2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F2A5B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16259	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3471536788-1100013662-2759161265-705340750 Account Name: CEEB7294-E05E-4190-B175-75A44EA50A2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F2A5B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16258	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CEEB7294-E05E-4190-B175-75A44EA50A2A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16257	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x3F153B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59995 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16256	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x3F153B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16255	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:46:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-858066278-1191739594-1644765873-3468770795 Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3ED3E2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16254	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-858066278-1191739594-1644765873-3468770795 Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3ED3E2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16253	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-858066278-1191739594-1644765873-3468770795 Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3ED3E2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16252	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16251	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3861367101-1178372467-3250622608-4191114461 Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3528A3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16250	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2885056365-1313791593-3161015171-329430980 Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x391556 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16249	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2885056365-1313791593-3161015171-329430980 Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DFFB8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16248	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2885056365-1313791593-3161015171-329430980 Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DFFB8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16247	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2885056365-1313791593-3161015171-329430980 Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DFFB8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16246	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16245	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-858066278-1191739594-1644765873-3468770795 Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D3762 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16244	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-858066278-1191739594-1644765873-3468770795 Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D3762 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16243	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-858066278-1191739594-1644765873-3468770795 Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D3762 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16242	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16241	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3861367101-1178372467-3250622608-4191114461 Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D2E19 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16240	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3861367101-1178372467-3250622608-4191114461 Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D2E19 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16239	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3861367101-1178372467-3250622608-4191114461 Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D2E19 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16238	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16237	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16236	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16235	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-858066278-1191739594-1644765873-3468770795 Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BFEAA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16234	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-858066278-1191739594-1644765873-3468770795 Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BFEAA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16233	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:25 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-858066278-1191739594-1644765873-3468770795 Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BFEAA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16232	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:25 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16231	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:25 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-858066278-1191739594-1644765873-3468770795 Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BEF14 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16230	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-858066278-1191739594-1644765873-3468770795 Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BF063 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16229	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:25 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-858066278-1191739594-1644765873-3468770795 Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BF063 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16228	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:25 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16227	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:25 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-858066278-1191739594-1644765873-3468770795 Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BF003 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16226	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-858066278-1191739594-1644765873-3468770795 Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BF003 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16225	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:25 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-858066278-1191739594-1644765873-3468770795 Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BF003 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16224	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:25 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16223	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:25 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-858066278-1191739594-1644765873-3468770795 Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BEFBA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16222	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:24 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-858066278-1191739594-1644765873-3468770795 Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BEFBA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16221	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:24 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-858066278-1191739594-1644765873-3468770795 Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BEFBA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16220	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:24 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16219	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:24 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-858066278-1191739594-1644765873-3468770795 Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BEF14 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16218	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:24 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-858066278-1191739594-1644765873-3468770795 Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BEF14 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16217	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:24 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33250D66-80CA-4708-B122-0962EB3DC1CE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16216	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:24 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x38E447 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16215	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3861367101-1178372467-3250622608-4191114461 Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BCFDF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16214	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:09 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3861367101-1178372467-3250622608-4191114461 Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BCFDF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16213	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3861367101-1178372467-3250622608-4191114461 Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BCFDF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16212	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16211	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-294373098-1312218351-1598586552-759871776 Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BA3DB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16210	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:00 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-294373098-1312218351-1598586552-759871776 Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BA3DB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16209	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:00 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-294373098-1312218351-1598586552-759871776 Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BA3DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16208	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:00 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16207	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:45:00 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-294373098-1312218351-1598586552-759871776 Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B6EB0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16206	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-294373098-1312218351-1598586552-759871776 Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B6EB0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16205	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-294373098-1312218351-1598586552-759871776 Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B6EB0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16204	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16203	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1246871638-1255211266-1468967341-3537565419 Account Name: 4A51C056-0102-4AD1-ADA9-8E57EBF6DAD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B4550 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16202	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1246871638-1255211266-1468967341-3537565419 Account Name: 4A51C056-0102-4AD1-ADA9-8E57EBF6DAD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B4550 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16201	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1246871638-1255211266-1468967341-3537565419 Account Name: 4A51C056-0102-4AD1-ADA9-8E57EBF6DAD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B4550 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16200	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4A51C056-0102-4AD1-ADA9-8E57EBF6DAD2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16199	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1246871638-1255211266-1468967341-3537565419 Account Name: 4A51C056-0102-4AD1-ADA9-8E57EBF6DAD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AEFCB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16198	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1246871638-1255211266-1468967341-3537565419 Account Name: 4A51C056-0102-4AD1-ADA9-8E57EBF6DAD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AEFCB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16197	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1246871638-1255211266-1468967341-3537565419 Account Name: 4A51C056-0102-4AD1-ADA9-8E57EBF6DAD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AEFCB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16196	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4A51C056-0102-4AD1-ADA9-8E57EBF6DAD2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16195	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1246871638-1255211266-1468967341-3537565419 Account Name: 4A51C056-0102-4AD1-ADA9-8E57EBF6DAD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AE0E8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16194	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1246871638-1255211266-1468967341-3537565419 Account Name: 4A51C056-0102-4AD1-ADA9-8E57EBF6DAD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AE236 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16193	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1246871638-1255211266-1468967341-3537565419 Account Name: 4A51C056-0102-4AD1-ADA9-8E57EBF6DAD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AE236 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16192	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4A51C056-0102-4AD1-ADA9-8E57EBF6DAD2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16191	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1246871638-1255211266-1468967341-3537565419 Account Name: 4A51C056-0102-4AD1-ADA9-8E57EBF6DAD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AE1DD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16190	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1246871638-1255211266-1468967341-3537565419 Account Name: 4A51C056-0102-4AD1-ADA9-8E57EBF6DAD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AE1DD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16189	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1246871638-1255211266-1468967341-3537565419 Account Name: 4A51C056-0102-4AD1-ADA9-8E57EBF6DAD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AE1DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16188	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4A51C056-0102-4AD1-ADA9-8E57EBF6DAD2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16187	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1246871638-1255211266-1468967341-3537565419 Account Name: 4A51C056-0102-4AD1-ADA9-8E57EBF6DAD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AE194 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16186	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1246871638-1255211266-1468967341-3537565419 Account Name: 4A51C056-0102-4AD1-ADA9-8E57EBF6DAD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AE194 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16185	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1246871638-1255211266-1468967341-3537565419 Account Name: 4A51C056-0102-4AD1-ADA9-8E57EBF6DAD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AE194 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16184	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4A51C056-0102-4AD1-ADA9-8E57EBF6DAD2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16183	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1246871638-1255211266-1468967341-3537565419 Account Name: 4A51C056-0102-4AD1-ADA9-8E57EBF6DAD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AE0E8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16182	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1246871638-1255211266-1468967341-3537565419 Account Name: 4A51C056-0102-4AD1-ADA9-8E57EBF6DAD2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AE0E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16181	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4A51C056-0102-4AD1-ADA9-8E57EBF6DAD2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16180	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1659036248-1174979531-866864063-723645554 Account Name: 62E2E258-C3CB-4608-BF4B-AB3372F4212B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A0890 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16179	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-294373098-1312218351-1598586552-759871776 Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AA55D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16178	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-294373098-1312218351-1598586552-759871776 Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AA55D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16177	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-294373098-1312218351-1598586552-759871776 Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AA55D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16176	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16175	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-294373098-1312218351-1598586552-759871776 Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A8F92 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16174	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-294373098-1312218351-1598586552-759871776 Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A90DB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16173	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-294373098-1312218351-1598586552-759871776 Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A90DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16172	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16171	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-294373098-1312218351-1598586552-759871776 Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A9080 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16170	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-294373098-1312218351-1598586552-759871776 Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A9080 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16169	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-294373098-1312218351-1598586552-759871776 Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A9080 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16168	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16167	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-294373098-1312218351-1598586552-759871776 Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A9037 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16166	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-294373098-1312218351-1598586552-759871776 Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A9037 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16165	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-294373098-1312218351-1598586552-759871776 Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A9037 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16164	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16163	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-294373098-1312218351-1598586552-759871776 Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A8F92 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16162	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-294373098-1312218351-1598586552-759871776 Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A8F92 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16161	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 118BC6EA-DCEF-4E36-B87E-485F20B94A2D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16160	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1659036248-1174979531-866864063-723645554 Account Name: 62E2E258-C3CB-4608-BF4B-AB3372F4212B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A7252 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16159	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:34 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1659036248-1174979531-866864063-723645554 Account Name: 62E2E258-C3CB-4608-BF4B-AB3372F4212B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A7252 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16158	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:34 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1659036248-1174979531-866864063-723645554 Account Name: 62E2E258-C3CB-4608-BF4B-AB3372F4212B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A7252 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16157	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:34 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 62E2E258-C3CB-4608-BF4B-AB3372F4212B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16156	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:34 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1659036248-1174979531-866864063-723645554 Account Name: 62E2E258-C3CB-4608-BF4B-AB3372F4212B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A1E77 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16155	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:28 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1659036248-1174979531-866864063-723645554 Account Name: 62E2E258-C3CB-4608-BF4B-AB3372F4212B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A1E77 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16154	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1659036248-1174979531-866864063-723645554 Account Name: 62E2E258-C3CB-4608-BF4B-AB3372F4212B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A1E77 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16153	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 62E2E258-C3CB-4608-BF4B-AB3372F4212B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16152	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1659036248-1174979531-866864063-723645554 Account Name: 62E2E258-C3CB-4608-BF4B-AB3372F4212B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A034D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16151	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:28 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1659036248-1174979531-866864063-723645554 Account Name: 62E2E258-C3CB-4608-BF4B-AB3372F4212B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A0890 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16150	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1659036248-1174979531-866864063-723645554 Account Name: 62E2E258-C3CB-4608-BF4B-AB3372F4212B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A0890 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16149	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 62E2E258-C3CB-4608-BF4B-AB3372F4212B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16148	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1659036248-1174979531-866864063-723645554 Account Name: 62E2E258-C3CB-4608-BF4B-AB3372F4212B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A071A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16147	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:28 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1659036248-1174979531-866864063-723645554 Account Name: 62E2E258-C3CB-4608-BF4B-AB3372F4212B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A071A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16146	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1659036248-1174979531-866864063-723645554 Account Name: 62E2E258-C3CB-4608-BF4B-AB3372F4212B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A071A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16145	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 62E2E258-C3CB-4608-BF4B-AB3372F4212B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16144	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1659036248-1174979531-866864063-723645554 Account Name: 62E2E258-C3CB-4608-BF4B-AB3372F4212B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A059B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16143	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:28 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1659036248-1174979531-866864063-723645554 Account Name: 62E2E258-C3CB-4608-BF4B-AB3372F4212B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A059B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16142	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1659036248-1174979531-866864063-723645554 Account Name: 62E2E258-C3CB-4608-BF4B-AB3372F4212B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A059B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16141	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 62E2E258-C3CB-4608-BF4B-AB3372F4212B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16140	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1659036248-1174979531-866864063-723645554 Account Name: 62E2E258-C3CB-4608-BF4B-AB3372F4212B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A034D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16139	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1659036248-1174979531-866864063-723645554 Account Name: 62E2E258-C3CB-4608-BF4B-AB3372F4212B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A034D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16138	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 62E2E258-C3CB-4608-BF4B-AB3372F4212B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16137	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1804339422-1123530105-1197574793-2175476889 Account Name: 6B8C08DE-B579-42F7-898A-61479924AB81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36CE86 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16136	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2885056365-1313791593-3161015171-329430980 Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39920F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16135	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2885056365-1313791593-3161015171-329430980 Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39920F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16134	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:19 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2885056365-1313791593-3161015171-329430980 Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39920F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16133	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:19 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16132	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:19 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-439776275-1240282506-1582534038-3579049747 Account Name: 1A367413-358A-49ED-968D-535E13F753D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37DA20 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16131	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2885056365-1313791593-3161015171-329430980 Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x392308 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16130	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2885056365-1313791593-3161015171-329430980 Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x392308 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16129	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2885056365-1313791593-3161015171-329430980 Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x392308 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16128	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16127	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2885056365-1313791593-3161015171-329430980 Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x391401 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16126	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2885056365-1313791593-3161015171-329430980 Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x391556 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16125	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2885056365-1313791593-3161015171-329430980 Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x391556 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16124	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16123	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2885056365-1313791593-3161015171-329430980 Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3914F6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16122	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2885056365-1313791593-3161015171-329430980 Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3914F6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16121	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2885056365-1313791593-3161015171-329430980 Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3914F6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16120	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16119	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2885056365-1313791593-3161015171-329430980 Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3914AD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16118	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2885056365-1313791593-3161015171-329430980 Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3914AD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16117	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2885056365-1313791593-3161015171-329430980 Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3914AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16116	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16115	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2885056365-1313791593-3161015171-329430980 Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x391401 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16114	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2885056365-1313791593-3161015171-329430980 Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x391401 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16113	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ABF6776D-DE69-4E4E-8343-69BCC4B7A213 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16112	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-699487854-1089505891-3659018673-1317715154 Account Name: 29B1566E-8A63-40F0-B131-18DAD2BC8A4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34A7EC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16111	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x38E447 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59956 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16110	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x38E447 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16109	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-439776275-1240282506-1582534038-3579049747 Account Name: 1A367413-358A-49ED-968D-535E13F753D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38AD2A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16108	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-439776275-1240282506-1582534038-3579049747 Account Name: 1A367413-358A-49ED-968D-535E13F753D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38AD2A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16107	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-439776275-1240282506-1582534038-3579049747 Account Name: 1A367413-358A-49ED-968D-535E13F753D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38AD2A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16106	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A367413-358A-49ED-968D-535E13F753D5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16105	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3973335307-1176196476-1432080805-1292380763 Account Name: ECD4490B-557C-461B-A5D1-5B555B2A084D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374328 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16104	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:44:02 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3973335307-1176196476-1432080805-1292380763 Account Name: ECD4490B-557C-461B-A5D1-5B555B2A084D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x382ED0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16103	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3973335307-1176196476-1432080805-1292380763 Account Name: ECD4490B-557C-461B-A5D1-5B555B2A084D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x382ED0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16102	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3973335307-1176196476-1432080805-1292380763 Account Name: ECD4490B-557C-461B-A5D1-5B555B2A084D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x382ED0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16101	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ECD4490B-557C-461B-A5D1-5B555B2A084D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16100	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-439776275-1240282506-1582534038-3579049747 Account Name: 1A367413-358A-49ED-968D-535E13F753D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37FBAF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16099	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-439776275-1240282506-1582534038-3579049747 Account Name: 1A367413-358A-49ED-968D-535E13F753D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37FBAF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16098	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-439776275-1240282506-1582534038-3579049747 Account Name: 1A367413-358A-49ED-968D-535E13F753D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37FBAF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16097	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A367413-358A-49ED-968D-535E13F753D5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16096	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4205603894-1135335950-2070722726-2128992013 Account Name: FAAC6C36-DA0E-43AB-A6B8-6C7B0DD7E57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37F760 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16095	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4205603894-1135335950-2070722726-2128992013 Account Name: FAAC6C36-DA0E-43AB-A6B8-6C7B0DD7E57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37F760 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16094	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4205603894-1135335950-2070722726-2128992013 Account Name: FAAC6C36-DA0E-43AB-A6B8-6C7B0DD7E57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37F760 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16093	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FAAC6C36-DA0E-43AB-A6B8-6C7B0DD7E57E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16092	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-439776275-1240282506-1582534038-3579049747 Account Name: 1A367413-358A-49ED-968D-535E13F753D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37D755 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16091	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-439776275-1240282506-1582534038-3579049747 Account Name: 1A367413-358A-49ED-968D-535E13F753D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37DA20 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16090	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-439776275-1240282506-1582534038-3579049747 Account Name: 1A367413-358A-49ED-968D-535E13F753D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37DA20 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16089	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A367413-358A-49ED-968D-535E13F753D5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16088	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-439776275-1240282506-1582534038-3579049747 Account Name: 1A367413-358A-49ED-968D-535E13F753D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37D962 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16087	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-439776275-1240282506-1582534038-3579049747 Account Name: 1A367413-358A-49ED-968D-535E13F753D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37D962 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16086	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-439776275-1240282506-1582534038-3579049747 Account Name: 1A367413-358A-49ED-968D-535E13F753D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37D962 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16085	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A367413-358A-49ED-968D-535E13F753D5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16084	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-439776275-1240282506-1582534038-3579049747 Account Name: 1A367413-358A-49ED-968D-535E13F753D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37D90D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16083	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-439776275-1240282506-1582534038-3579049747 Account Name: 1A367413-358A-49ED-968D-535E13F753D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37D90D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16082	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-439776275-1240282506-1582534038-3579049747 Account Name: 1A367413-358A-49ED-968D-535E13F753D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37D90D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16081	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A367413-358A-49ED-968D-535E13F753D5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16080	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-439776275-1240282506-1582534038-3579049747 Account Name: 1A367413-358A-49ED-968D-535E13F753D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37D755 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16079	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-439776275-1240282506-1582534038-3579049747 Account Name: 1A367413-358A-49ED-968D-535E13F753D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37D755 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16078	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A367413-358A-49ED-968D-535E13F753D5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16077	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1944691619-1306441754-4026598068-3515249348 Account Name: 73E9A3A3-B81A-4DDE-B402-01F0C47286D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35FB90 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16076	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4205603894-1135335950-2070722726-2128992013 Account Name: FAAC6C36-DA0E-43AB-A6B8-6C7B0DD7E57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x376B65 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16075	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4205603894-1135335950-2070722726-2128992013 Account Name: FAAC6C36-DA0E-43AB-A6B8-6C7B0DD7E57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x376B65 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16074	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4205603894-1135335950-2070722726-2128992013 Account Name: FAAC6C36-DA0E-43AB-A6B8-6C7B0DD7E57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x376B65 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16073	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FAAC6C36-DA0E-43AB-A6B8-6C7B0DD7E57E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16072	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3973335307-1176196476-1432080805-1292380763 Account Name: ECD4490B-557C-461B-A5D1-5B555B2A084D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x375847 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16071	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3973335307-1176196476-1432080805-1292380763 Account Name: ECD4490B-557C-461B-A5D1-5B555B2A084D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x375847 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16070	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3973335307-1176196476-1432080805-1292380763 Account Name: ECD4490B-557C-461B-A5D1-5B555B2A084D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x375847 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16069	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ECD4490B-557C-461B-A5D1-5B555B2A084D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16068	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4205603894-1135335950-2070722726-2128992013 Account Name: FAAC6C36-DA0E-43AB-A6B8-6C7B0DD7E57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37494D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16067	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4205603894-1135335950-2070722726-2128992013 Account Name: FAAC6C36-DA0E-43AB-A6B8-6C7B0DD7E57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374E08 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16066	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4205603894-1135335950-2070722726-2128992013 Account Name: FAAC6C36-DA0E-43AB-A6B8-6C7B0DD7E57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374E08 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16065	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FAAC6C36-DA0E-43AB-A6B8-6C7B0DD7E57E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16064	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4205603894-1135335950-2070722726-2128992013 Account Name: FAAC6C36-DA0E-43AB-A6B8-6C7B0DD7E57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374D42 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16063	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4205603894-1135335950-2070722726-2128992013 Account Name: FAAC6C36-DA0E-43AB-A6B8-6C7B0DD7E57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374D42 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16062	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4205603894-1135335950-2070722726-2128992013 Account Name: FAAC6C36-DA0E-43AB-A6B8-6C7B0DD7E57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374D42 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16061	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FAAC6C36-DA0E-43AB-A6B8-6C7B0DD7E57E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16060	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4205603894-1135335950-2070722726-2128992013 Account Name: FAAC6C36-DA0E-43AB-A6B8-6C7B0DD7E57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374B1E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16059	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4205603894-1135335950-2070722726-2128992013 Account Name: FAAC6C36-DA0E-43AB-A6B8-6C7B0DD7E57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374B1E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16058	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4205603894-1135335950-2070722726-2128992013 Account Name: FAAC6C36-DA0E-43AB-A6B8-6C7B0DD7E57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374B1E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16057	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FAAC6C36-DA0E-43AB-A6B8-6C7B0DD7E57E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16056	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4205603894-1135335950-2070722726-2128992013 Account Name: FAAC6C36-DA0E-43AB-A6B8-6C7B0DD7E57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37494D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16055	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4205603894-1135335950-2070722726-2128992013 Account Name: FAAC6C36-DA0E-43AB-A6B8-6C7B0DD7E57E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37494D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16054	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FAAC6C36-DA0E-43AB-A6B8-6C7B0DD7E57E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16053	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3973335307-1176196476-1432080805-1292380763 Account Name: ECD4490B-557C-461B-A5D1-5B555B2A084D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3741D4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16052	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3973335307-1176196476-1432080805-1292380763 Account Name: ECD4490B-557C-461B-A5D1-5B555B2A084D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374328 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16051	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3973335307-1176196476-1432080805-1292380763 Account Name: ECD4490B-557C-461B-A5D1-5B555B2A084D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374328 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16050	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ECD4490B-557C-461B-A5D1-5B555B2A084D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16049	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3973335307-1176196476-1432080805-1292380763 Account Name: ECD4490B-557C-461B-A5D1-5B555B2A084D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3742CF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16048	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3973335307-1176196476-1432080805-1292380763 Account Name: ECD4490B-557C-461B-A5D1-5B555B2A084D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3742CF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16047	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3973335307-1176196476-1432080805-1292380763 Account Name: ECD4490B-557C-461B-A5D1-5B555B2A084D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3742CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16046	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ECD4490B-557C-461B-A5D1-5B555B2A084D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16045	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3973335307-1176196476-1432080805-1292380763 Account Name: ECD4490B-557C-461B-A5D1-5B555B2A084D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374285 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16044	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3973335307-1176196476-1432080805-1292380763 Account Name: ECD4490B-557C-461B-A5D1-5B555B2A084D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374285 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16043	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3973335307-1176196476-1432080805-1292380763 Account Name: ECD4490B-557C-461B-A5D1-5B555B2A084D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374285 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16042	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ECD4490B-557C-461B-A5D1-5B555B2A084D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16041	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3973335307-1176196476-1432080805-1292380763 Account Name: ECD4490B-557C-461B-A5D1-5B555B2A084D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3741D4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16040	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3973335307-1176196476-1432080805-1292380763 Account Name: ECD4490B-557C-461B-A5D1-5B555B2A084D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3741D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16039	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ECD4490B-557C-461B-A5D1-5B555B2A084D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16038	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1804339422-1123530105-1197574793-2175476889 Account Name: 6B8C08DE-B579-42F7-898A-61479924AB81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3721AB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16037	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1804339422-1123530105-1197574793-2175476889 Account Name: 6B8C08DE-B579-42F7-898A-61479924AB81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3721AB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16036	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:49 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1804339422-1123530105-1197574793-2175476889 Account Name: 6B8C08DE-B579-42F7-898A-61479924AB81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3721AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16035	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:49 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6B8C08DE-B579-42F7-898A-61479924AB81 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16034	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:49 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1804339422-1123530105-1197574793-2175476889 Account Name: 6B8C08DE-B579-42F7-898A-61479924AB81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36E586 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16033	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1804339422-1123530105-1197574793-2175476889 Account Name: 6B8C08DE-B579-42F7-898A-61479924AB81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36E586 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16032	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1804339422-1123530105-1197574793-2175476889 Account Name: 6B8C08DE-B579-42F7-898A-61479924AB81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36E586 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16031	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6B8C08DE-B579-42F7-898A-61479924AB81 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16030	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1804339422-1123530105-1197574793-2175476889 Account Name: 6B8C08DE-B579-42F7-898A-61479924AB81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36CD2C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16029	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1804339422-1123530105-1197574793-2175476889 Account Name: 6B8C08DE-B579-42F7-898A-61479924AB81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36CE86 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16028	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1804339422-1123530105-1197574793-2175476889 Account Name: 6B8C08DE-B579-42F7-898A-61479924AB81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36CE86 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16027	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6B8C08DE-B579-42F7-898A-61479924AB81 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16026	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1804339422-1123530105-1197574793-2175476889 Account Name: 6B8C08DE-B579-42F7-898A-61479924AB81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36CE2D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16025	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1804339422-1123530105-1197574793-2175476889 Account Name: 6B8C08DE-B579-42F7-898A-61479924AB81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36CE2D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16024	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1804339422-1123530105-1197574793-2175476889 Account Name: 6B8C08DE-B579-42F7-898A-61479924AB81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36CE2D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16023	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6B8C08DE-B579-42F7-898A-61479924AB81 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16022	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1804339422-1123530105-1197574793-2175476889 Account Name: 6B8C08DE-B579-42F7-898A-61479924AB81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36CDE4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16021	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1804339422-1123530105-1197574793-2175476889 Account Name: 6B8C08DE-B579-42F7-898A-61479924AB81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36CDE4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16020	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1804339422-1123530105-1197574793-2175476889 Account Name: 6B8C08DE-B579-42F7-898A-61479924AB81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36CDE4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16019	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6B8C08DE-B579-42F7-898A-61479924AB81 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16018	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1804339422-1123530105-1197574793-2175476889 Account Name: 6B8C08DE-B579-42F7-898A-61479924AB81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36CD2C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16017	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1804339422-1123530105-1197574793-2175476889 Account Name: 6B8C08DE-B579-42F7-898A-61479924AB81 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36CD2C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16016	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6B8C08DE-B579-42F7-898A-61479924AB81 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16015	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x33C143 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16014	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2232215873-1277521637-1007958160-801004550 Account Name: 850CE941-6EE5-4C25-9038-143C065CBE2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x300FE2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16013	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1944691619-1306441754-4026598068-3515249348 Account Name: 73E9A3A3-B81A-4DDE-B402-01F0C47286D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x363FF9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16012	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1944691619-1306441754-4026598068-3515249348 Account Name: 73E9A3A3-B81A-4DDE-B402-01F0C47286D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x363FF9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16011	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1944691619-1306441754-4026598068-3515249348 Account Name: 73E9A3A3-B81A-4DDE-B402-01F0C47286D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x363FF9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16010	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 73E9A3A3-B81A-4DDE-B402-01F0C47286D1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16009	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1944691619-1306441754-4026598068-3515249348 Account Name: 73E9A3A3-B81A-4DDE-B402-01F0C47286D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3609E5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16008	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1944691619-1306441754-4026598068-3515249348 Account Name: 73E9A3A3-B81A-4DDE-B402-01F0C47286D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3609E5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16007	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1944691619-1306441754-4026598068-3515249348 Account Name: 73E9A3A3-B81A-4DDE-B402-01F0C47286D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3609E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16006	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 73E9A3A3-B81A-4DDE-B402-01F0C47286D1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16005	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1944691619-1306441754-4026598068-3515249348 Account Name: 73E9A3A3-B81A-4DDE-B402-01F0C47286D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35FA45 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16004	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1944691619-1306441754-4026598068-3515249348 Account Name: 73E9A3A3-B81A-4DDE-B402-01F0C47286D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35FB90 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16003	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1944691619-1306441754-4026598068-3515249348 Account Name: 73E9A3A3-B81A-4DDE-B402-01F0C47286D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35FB90 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16002	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 73E9A3A3-B81A-4DDE-B402-01F0C47286D1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16001	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1944691619-1306441754-4026598068-3515249348 Account Name: 73E9A3A3-B81A-4DDE-B402-01F0C47286D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35FB37 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16000	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1944691619-1306441754-4026598068-3515249348 Account Name: 73E9A3A3-B81A-4DDE-B402-01F0C47286D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35FB37 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15999	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1944691619-1306441754-4026598068-3515249348 Account Name: 73E9A3A3-B81A-4DDE-B402-01F0C47286D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35FB37 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15998	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 73E9A3A3-B81A-4DDE-B402-01F0C47286D1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15997	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1944691619-1306441754-4026598068-3515249348 Account Name: 73E9A3A3-B81A-4DDE-B402-01F0C47286D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35FAEE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15996	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1944691619-1306441754-4026598068-3515249348 Account Name: 73E9A3A3-B81A-4DDE-B402-01F0C47286D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35FAEE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15995	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1944691619-1306441754-4026598068-3515249348 Account Name: 73E9A3A3-B81A-4DDE-B402-01F0C47286D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35FAEE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15994	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 73E9A3A3-B81A-4DDE-B402-01F0C47286D1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15993	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1944691619-1306441754-4026598068-3515249348 Account Name: 73E9A3A3-B81A-4DDE-B402-01F0C47286D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35FA45 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15992	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1944691619-1306441754-4026598068-3515249348 Account Name: 73E9A3A3-B81A-4DDE-B402-01F0C47286D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35FA45 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15991	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 73E9A3A3-B81A-4DDE-B402-01F0C47286D1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15990	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3972270959-1339536597-287406993-2622900425 Account Name: ECC40B6F-B4D5-4FD7-917B-2111C948569C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33D462 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15989	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3861367101-1178372467-3250622608-4191114461 Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35D46C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15988	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3861367101-1178372467-3250622608-4191114461 Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35D46C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15987	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3861367101-1178372467-3250622608-4191114461 Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35D46C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15986	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15985	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1362369691-1278486984-3451626919-4178885424 Account Name: 51341C9B-29C8-4C34-A7A5-BBCD30BB14F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x317FD5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15984	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3861367101-1178372467-3250622608-4191114461 Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3536C7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15983	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3861367101-1178372467-3250622608-4191114461 Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3536C7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15982	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:04 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3861367101-1178372467-3250622608-4191114461 Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3536C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15981	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:04 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15980	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:04 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3861367101-1178372467-3250622608-4191114461 Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3526D5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15979	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3861367101-1178372467-3250622608-4191114461 Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3528A3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15978	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:04 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3861367101-1178372467-3250622608-4191114461 Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3528A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15977	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:04 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15976	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:04 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3861367101-1178372467-3250622608-4191114461 Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3527D1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15975	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3861367101-1178372467-3250622608-4191114461 Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3527D1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15974	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:04 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3861367101-1178372467-3250622608-4191114461 Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3527D1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15973	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:04 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15972	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:04 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3861367101-1178372467-3250622608-4191114461 Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x352781 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15971	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3861367101-1178372467-3250622608-4191114461 Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x352781 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15970	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:04 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3861367101-1178372467-3250622608-4191114461 Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x352781 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15969	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:04 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15968	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:04 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3861367101-1178372467-3250622608-4191114461 Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3526D5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15967	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:04 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3861367101-1178372467-3250622608-4191114461 Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3526D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15966	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:04 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E627C93D-8973-463C-9090-C0C1DD54CFF9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15965	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:43:04 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-699487854-1089505891-3659018673-1317715154 Account Name: 29B1566E-8A63-40F0-B131-18DAD2BC8A4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34F5B2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15964	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:52 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-699487854-1089505891-3659018673-1317715154 Account Name: 29B1566E-8A63-40F0-B131-18DAD2BC8A4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34F5B2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15963	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:52 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-699487854-1089505891-3659018673-1317715154 Account Name: 29B1566E-8A63-40F0-B131-18DAD2BC8A4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34F5B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15962	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:52 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29B1566E-8A63-40F0-B131-18DAD2BC8A4E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15961	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:52 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-699487854-1089505891-3659018673-1317715154 Account Name: 29B1566E-8A63-40F0-B131-18DAD2BC8A4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34B608 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15960	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-699487854-1089505891-3659018673-1317715154 Account Name: 29B1566E-8A63-40F0-B131-18DAD2BC8A4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34B608 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15959	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-699487854-1089505891-3659018673-1317715154 Account Name: 29B1566E-8A63-40F0-B131-18DAD2BC8A4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34B608 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15958	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29B1566E-8A63-40F0-B131-18DAD2BC8A4E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15957	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-699487854-1089505891-3659018673-1317715154 Account Name: 29B1566E-8A63-40F0-B131-18DAD2BC8A4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34A69D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15956	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-699487854-1089505891-3659018673-1317715154 Account Name: 29B1566E-8A63-40F0-B131-18DAD2BC8A4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34A7EC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15955	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-699487854-1089505891-3659018673-1317715154 Account Name: 29B1566E-8A63-40F0-B131-18DAD2BC8A4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34A7EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15954	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29B1566E-8A63-40F0-B131-18DAD2BC8A4E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15953	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-699487854-1089505891-3659018673-1317715154 Account Name: 29B1566E-8A63-40F0-B131-18DAD2BC8A4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34A793 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15952	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-699487854-1089505891-3659018673-1317715154 Account Name: 29B1566E-8A63-40F0-B131-18DAD2BC8A4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34A793 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15951	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-699487854-1089505891-3659018673-1317715154 Account Name: 29B1566E-8A63-40F0-B131-18DAD2BC8A4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34A793 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15950	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29B1566E-8A63-40F0-B131-18DAD2BC8A4E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15949	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-699487854-1089505891-3659018673-1317715154 Account Name: 29B1566E-8A63-40F0-B131-18DAD2BC8A4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34A74A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15948	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-699487854-1089505891-3659018673-1317715154 Account Name: 29B1566E-8A63-40F0-B131-18DAD2BC8A4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34A74A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15947	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-699487854-1089505891-3659018673-1317715154 Account Name: 29B1566E-8A63-40F0-B131-18DAD2BC8A4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34A74A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15946	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29B1566E-8A63-40F0-B131-18DAD2BC8A4E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15945	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-699487854-1089505891-3659018673-1317715154 Account Name: 29B1566E-8A63-40F0-B131-18DAD2BC8A4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34A69D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15944	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-699487854-1089505891-3659018673-1317715154 Account Name: 29B1566E-8A63-40F0-B131-18DAD2BC8A4E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34A69D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15943	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 29B1566E-8A63-40F0-B131-18DAD2BC8A4E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15942	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-440337795-1292090382-111176067-2386553566 Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B3A26 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15941	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:42 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3972270959-1339536597-287406993-2622900425 Account Name: ECC40B6F-B4D5-4FD7-917B-2111C948569C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x341BC4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15940	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3972270959-1339536597-287406993-2622900425 Account Name: ECC40B6F-B4D5-4FD7-917B-2111C948569C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x341BC4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15939	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3972270959-1339536597-287406993-2622900425 Account Name: ECC40B6F-B4D5-4FD7-917B-2111C948569C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x341BC4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15938	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ECC40B6F-B4D5-4FD7-917B-2111C948569C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15937	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3972270959-1339536597-287406993-2622900425 Account Name: ECC40B6F-B4D5-4FD7-917B-2111C948569C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33E1E6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15936	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3972270959-1339536597-287406993-2622900425 Account Name: ECC40B6F-B4D5-4FD7-917B-2111C948569C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33E1E6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15935	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3972270959-1339536597-287406993-2622900425 Account Name: ECC40B6F-B4D5-4FD7-917B-2111C948569C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33E1E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15934	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ECC40B6F-B4D5-4FD7-917B-2111C948569C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15933	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3972270959-1339536597-287406993-2622900425 Account Name: ECC40B6F-B4D5-4FD7-917B-2111C948569C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33D30F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15932	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3972270959-1339536597-287406993-2622900425 Account Name: ECC40B6F-B4D5-4FD7-917B-2111C948569C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33D462 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15931	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3972270959-1339536597-287406993-2622900425 Account Name: ECC40B6F-B4D5-4FD7-917B-2111C948569C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33D462 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15930	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ECC40B6F-B4D5-4FD7-917B-2111C948569C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15929	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3972270959-1339536597-287406993-2622900425 Account Name: ECC40B6F-B4D5-4FD7-917B-2111C948569C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33D402 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15928	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3972270959-1339536597-287406993-2622900425 Account Name: ECC40B6F-B4D5-4FD7-917B-2111C948569C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33D402 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15927	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3972270959-1339536597-287406993-2622900425 Account Name: ECC40B6F-B4D5-4FD7-917B-2111C948569C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33D402 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15926	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ECC40B6F-B4D5-4FD7-917B-2111C948569C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15925	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3972270959-1339536597-287406993-2622900425 Account Name: ECC40B6F-B4D5-4FD7-917B-2111C948569C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33D3B9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15924	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3972270959-1339536597-287406993-2622900425 Account Name: ECC40B6F-B4D5-4FD7-917B-2111C948569C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33D3B9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15923	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3972270959-1339536597-287406993-2622900425 Account Name: ECC40B6F-B4D5-4FD7-917B-2111C948569C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33D3B9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15922	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ECC40B6F-B4D5-4FD7-917B-2111C948569C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15921	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3972270959-1339536597-287406993-2622900425 Account Name: ECC40B6F-B4D5-4FD7-917B-2111C948569C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33D30F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15920	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3972270959-1339536597-287406993-2622900425 Account Name: ECC40B6F-B4D5-4FD7-917B-2111C948569C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33D30F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15919	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ECC40B6F-B4D5-4FD7-917B-2111C948569C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15918	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x33C143 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59888 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15917	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:07 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x33C143 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15916	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:42:07 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3024792083-1217502291-2910647175-1987179248 Account Name: B44AAA13-9C53-4891-87F3-7CADF0F27176 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3297AA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15915	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2704903774-1149344127-441628345-1163888443 Account Name: A1398E5E-997F-4481-B9B6-521A3B875F45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x307183 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15914	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:52 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3024792083-1217502291-2910647175-1987179248 Account Name: B44AAA13-9C53-4891-87F3-7CADF0F27176 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32F8CB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15913	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3024792083-1217502291-2910647175-1987179248 Account Name: B44AAA13-9C53-4891-87F3-7CADF0F27176 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32F8CB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15912	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3024792083-1217502291-2910647175-1987179248 Account Name: B44AAA13-9C53-4891-87F3-7CADF0F27176 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32F8CB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15911	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B44AAA13-9C53-4891-87F3-7CADF0F27176 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15910	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x31EFD5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15909	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3024792083-1217502291-2910647175-1987179248 Account Name: B44AAA13-9C53-4891-87F3-7CADF0F27176 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32A5DB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15908	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3024792083-1217502291-2910647175-1987179248 Account Name: B44AAA13-9C53-4891-87F3-7CADF0F27176 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32A5DB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15907	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3024792083-1217502291-2910647175-1987179248 Account Name: B44AAA13-9C53-4891-87F3-7CADF0F27176 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32A5DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15906	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B44AAA13-9C53-4891-87F3-7CADF0F27176 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15905	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3024792083-1217502291-2910647175-1987179248 Account Name: B44AAA13-9C53-4891-87F3-7CADF0F27176 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x329662 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15904	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3024792083-1217502291-2910647175-1987179248 Account Name: B44AAA13-9C53-4891-87F3-7CADF0F27176 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3297AA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15903	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3024792083-1217502291-2910647175-1987179248 Account Name: B44AAA13-9C53-4891-87F3-7CADF0F27176 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3297AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15902	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B44AAA13-9C53-4891-87F3-7CADF0F27176 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15901	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3024792083-1217502291-2910647175-1987179248 Account Name: B44AAA13-9C53-4891-87F3-7CADF0F27176 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x329751 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15900	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3024792083-1217502291-2910647175-1987179248 Account Name: B44AAA13-9C53-4891-87F3-7CADF0F27176 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x329751 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15899	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3024792083-1217502291-2910647175-1987179248 Account Name: B44AAA13-9C53-4891-87F3-7CADF0F27176 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x329751 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15898	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B44AAA13-9C53-4891-87F3-7CADF0F27176 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15897	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3024792083-1217502291-2910647175-1987179248 Account Name: B44AAA13-9C53-4891-87F3-7CADF0F27176 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x329708 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15896	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3024792083-1217502291-2910647175-1987179248 Account Name: B44AAA13-9C53-4891-87F3-7CADF0F27176 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x329708 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15895	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3024792083-1217502291-2910647175-1987179248 Account Name: B44AAA13-9C53-4891-87F3-7CADF0F27176 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x329708 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15894	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B44AAA13-9C53-4891-87F3-7CADF0F27176 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15893	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3024792083-1217502291-2910647175-1987179248 Account Name: B44AAA13-9C53-4891-87F3-7CADF0F27176 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x329662 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15892	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3024792083-1217502291-2910647175-1987179248 Account Name: B44AAA13-9C53-4891-87F3-7CADF0F27176 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x329662 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15891	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B44AAA13-9C53-4891-87F3-7CADF0F27176 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15890	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2378823621-1277688746-375604877-1905761816 Account Name: 8DC9F7C5-FBAA-4C27-8D46-6316189E9771 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31FD66 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15889	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2378823621-1277688746-375604877-1905761816 Account Name: 8DC9F7C5-FBAA-4C27-8D46-6316189E9771 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x321F1D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15888	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2378823621-1277688746-375604877-1905761816 Account Name: 8DC9F7C5-FBAA-4C27-8D46-6316189E9771 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x321F1D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15887	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:33 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2378823621-1277688746-375604877-1905761816 Account Name: 8DC9F7C5-FBAA-4C27-8D46-6316189E9771 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x321F1D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15886	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:33 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8DC9F7C5-FBAA-4C27-8D46-6316189E9771 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15885	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:33 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2378823621-1277688746-375604877-1905761816 Account Name: 8DC9F7C5-FBAA-4C27-8D46-6316189E9771 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x320B3C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15884	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2378823621-1277688746-375604877-1905761816 Account Name: 8DC9F7C5-FBAA-4C27-8D46-6316189E9771 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x320B3C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15883	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:33 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2378823621-1277688746-375604877-1905761816 Account Name: 8DC9F7C5-FBAA-4C27-8D46-6316189E9771 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x320B3C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15882	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:33 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8DC9F7C5-FBAA-4C27-8D46-6316189E9771 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15881	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:33 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2378823621-1277688746-375604877-1905761816 Account Name: 8DC9F7C5-FBAA-4C27-8D46-6316189E9771 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31FC18 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15880	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2378823621-1277688746-375604877-1905761816 Account Name: 8DC9F7C5-FBAA-4C27-8D46-6316189E9771 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31FD66 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15879	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2378823621-1277688746-375604877-1905761816 Account Name: 8DC9F7C5-FBAA-4C27-8D46-6316189E9771 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31FD66 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15878	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8DC9F7C5-FBAA-4C27-8D46-6316189E9771 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15877	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2378823621-1277688746-375604877-1905761816 Account Name: 8DC9F7C5-FBAA-4C27-8D46-6316189E9771 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31FD0D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15876	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2378823621-1277688746-375604877-1905761816 Account Name: 8DC9F7C5-FBAA-4C27-8D46-6316189E9771 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31FD0D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15875	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2378823621-1277688746-375604877-1905761816 Account Name: 8DC9F7C5-FBAA-4C27-8D46-6316189E9771 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31FD0D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15874	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8DC9F7C5-FBAA-4C27-8D46-6316189E9771 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15873	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2378823621-1277688746-375604877-1905761816 Account Name: 8DC9F7C5-FBAA-4C27-8D46-6316189E9771 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31FCBD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15872	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2378823621-1277688746-375604877-1905761816 Account Name: 8DC9F7C5-FBAA-4C27-8D46-6316189E9771 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31FCBD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15871	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2378823621-1277688746-375604877-1905761816 Account Name: 8DC9F7C5-FBAA-4C27-8D46-6316189E9771 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31FCBD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15870	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8DC9F7C5-FBAA-4C27-8D46-6316189E9771 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15869	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2378823621-1277688746-375604877-1905761816 Account Name: 8DC9F7C5-FBAA-4C27-8D46-6316189E9771 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31FC18 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15868	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2378823621-1277688746-375604877-1905761816 Account Name: 8DC9F7C5-FBAA-4C27-8D46-6316189E9771 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31FC18 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15867	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8DC9F7C5-FBAA-4C27-8D46-6316189E9771 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15866	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x31F03E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15865	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x31F03B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15864	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x31F03E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-805046-2 Source Network Address: 10.222.0.49 Source Port: 59867 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15863	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:25 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x31F03E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15862	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:25 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x31F039 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15861	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x31F03B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-805046-2 Source Network Address: 10.222.0.49 Source Port: 59866 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15860	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:25 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x31F03B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15859	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:25 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x31F039 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-805046-2 Source Network Address: 10.222.0.49 Source Port: 59865 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15858	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:25 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x31F039 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15857	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:25 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x31EFD5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-805046-2 Source Network Address: 10.222.0.49 Source Port: 59864 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15856	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:25 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x31EFD5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15855	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:25 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1362369691-1278486984-3451626919-4178885424 Account Name: 51341C9B-29C8-4C34-A7A5-BBCD30BB14F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31C976 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15854	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1362369691-1278486984-3451626919-4178885424 Account Name: 51341C9B-29C8-4C34-A7A5-BBCD30BB14F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31C976 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15853	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1362369691-1278486984-3451626919-4178885424 Account Name: 51341C9B-29C8-4C34-A7A5-BBCD30BB14F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31C976 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15852	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51341C9B-29C8-4C34-A7A5-BBCD30BB14F9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15851	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1362369691-1278486984-3451626919-4178885424 Account Name: 51341C9B-29C8-4C34-A7A5-BBCD30BB14F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x318D68 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15850	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1362369691-1278486984-3451626919-4178885424 Account Name: 51341C9B-29C8-4C34-A7A5-BBCD30BB14F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x318D68 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15849	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1362369691-1278486984-3451626919-4178885424 Account Name: 51341C9B-29C8-4C34-A7A5-BBCD30BB14F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x318D68 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15848	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51341C9B-29C8-4C34-A7A5-BBCD30BB14F9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15847	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1362369691-1278486984-3451626919-4178885424 Account Name: 51341C9B-29C8-4C34-A7A5-BBCD30BB14F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x317E87 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15846	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1362369691-1278486984-3451626919-4178885424 Account Name: 51341C9B-29C8-4C34-A7A5-BBCD30BB14F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x317FD5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15845	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1362369691-1278486984-3451626919-4178885424 Account Name: 51341C9B-29C8-4C34-A7A5-BBCD30BB14F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x317FD5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15844	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51341C9B-29C8-4C34-A7A5-BBCD30BB14F9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15843	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1362369691-1278486984-3451626919-4178885424 Account Name: 51341C9B-29C8-4C34-A7A5-BBCD30BB14F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x317F7C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15842	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1362369691-1278486984-3451626919-4178885424 Account Name: 51341C9B-29C8-4C34-A7A5-BBCD30BB14F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x317F7C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15841	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1362369691-1278486984-3451626919-4178885424 Account Name: 51341C9B-29C8-4C34-A7A5-BBCD30BB14F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x317F7C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15840	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51341C9B-29C8-4C34-A7A5-BBCD30BB14F9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15839	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1362369691-1278486984-3451626919-4178885424 Account Name: 51341C9B-29C8-4C34-A7A5-BBCD30BB14F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x317F33 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15838	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1362369691-1278486984-3451626919-4178885424 Account Name: 51341C9B-29C8-4C34-A7A5-BBCD30BB14F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x317F33 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15837	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1362369691-1278486984-3451626919-4178885424 Account Name: 51341C9B-29C8-4C34-A7A5-BBCD30BB14F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x317F33 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15836	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51341C9B-29C8-4C34-A7A5-BBCD30BB14F9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15835	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1362369691-1278486984-3451626919-4178885424 Account Name: 51341C9B-29C8-4C34-A7A5-BBCD30BB14F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x317E87 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15834	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1362369691-1278486984-3451626919-4178885424 Account Name: 51341C9B-29C8-4C34-A7A5-BBCD30BB14F9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x317E87 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15833	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51341C9B-29C8-4C34-A7A5-BBCD30BB14F9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15832	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:41:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-440337795-1292090382-111176067-2386553566 Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31152D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15831	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-440337795-1292090382-111176067-2386553566 Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31152D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15830	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-440337795-1292090382-111176067-2386553566 Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31152D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15829	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15828	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-608286733-1260490104-1708525702-1747696903 Account Name: 2441B80D-8D78-4B21-8608-D66507BD2B68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B03FF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15827	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x2F5E80 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15826	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2704903774-1149344127-441628345-1163888443 Account Name: A1398E5E-997F-4481-B9B6-521A3B875F45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3094FB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15825	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2704903774-1149344127-441628345-1163888443 Account Name: A1398E5E-997F-4481-B9B6-521A3B875F45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3094FB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15824	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2704903774-1149344127-441628345-1163888443 Account Name: A1398E5E-997F-4481-B9B6-521A3B875F45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3094FB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15823	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A1398E5E-997F-4481-B9B6-521A3B875F45 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15822	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2704903774-1149344127-441628345-1163888443 Account Name: A1398E5E-997F-4481-B9B6-521A3B875F45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x307F95 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15821	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2704903774-1149344127-441628345-1163888443 Account Name: A1398E5E-997F-4481-B9B6-521A3B875F45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x307F95 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15820	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2704903774-1149344127-441628345-1163888443 Account Name: A1398E5E-997F-4481-B9B6-521A3B875F45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x307F95 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15819	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A1398E5E-997F-4481-B9B6-521A3B875F45 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15818	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2704903774-1149344127-441628345-1163888443 Account Name: A1398E5E-997F-4481-B9B6-521A3B875F45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30703B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15817	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2704903774-1149344127-441628345-1163888443 Account Name: A1398E5E-997F-4481-B9B6-521A3B875F45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x307183 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15816	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2704903774-1149344127-441628345-1163888443 Account Name: A1398E5E-997F-4481-B9B6-521A3B875F45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x307183 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15815	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A1398E5E-997F-4481-B9B6-521A3B875F45 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15814	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2704903774-1149344127-441628345-1163888443 Account Name: A1398E5E-997F-4481-B9B6-521A3B875F45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30712A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15813	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2704903774-1149344127-441628345-1163888443 Account Name: A1398E5E-997F-4481-B9B6-521A3B875F45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30712A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15812	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2704903774-1149344127-441628345-1163888443 Account Name: A1398E5E-997F-4481-B9B6-521A3B875F45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30712A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15811	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A1398E5E-997F-4481-B9B6-521A3B875F45 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15810	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2704903774-1149344127-441628345-1163888443 Account Name: A1398E5E-997F-4481-B9B6-521A3B875F45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3070E1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15809	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2704903774-1149344127-441628345-1163888443 Account Name: A1398E5E-997F-4481-B9B6-521A3B875F45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3070E1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15808	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2704903774-1149344127-441628345-1163888443 Account Name: A1398E5E-997F-4481-B9B6-521A3B875F45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3070E1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15807	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A1398E5E-997F-4481-B9B6-521A3B875F45 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15806	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2704903774-1149344127-441628345-1163888443 Account Name: A1398E5E-997F-4481-B9B6-521A3B875F45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30703B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15805	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2704903774-1149344127-441628345-1163888443 Account Name: A1398E5E-997F-4481-B9B6-521A3B875F45 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30703B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15804	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A1398E5E-997F-4481-B9B6-521A3B875F45 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15803	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2232215873-1277521637-1007958160-801004550 Account Name: 850CE941-6EE5-4C25-9038-143C065CBE2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x305492 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15802	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2232215873-1277521637-1007958160-801004550 Account Name: 850CE941-6EE5-4C25-9038-143C065CBE2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x305492 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15801	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2232215873-1277521637-1007958160-801004550 Account Name: 850CE941-6EE5-4C25-9038-143C065CBE2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x305492 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15800	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 850CE941-6EE5-4C25-9038-143C065CBE2F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15799	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2232215873-1277521637-1007958160-801004550 Account Name: 850CE941-6EE5-4C25-9038-143C065CBE2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x301D30 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15798	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2232215873-1277521637-1007958160-801004550 Account Name: 850CE941-6EE5-4C25-9038-143C065CBE2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x301D30 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15797	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2232215873-1277521637-1007958160-801004550 Account Name: 850CE941-6EE5-4C25-9038-143C065CBE2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x301D30 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15796	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 850CE941-6EE5-4C25-9038-143C065CBE2F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15795	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2232215873-1277521637-1007958160-801004550 Account Name: 850CE941-6EE5-4C25-9038-143C065CBE2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x300E89 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15794	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2232215873-1277521637-1007958160-801004550 Account Name: 850CE941-6EE5-4C25-9038-143C065CBE2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x300FE2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15793	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2232215873-1277521637-1007958160-801004550 Account Name: 850CE941-6EE5-4C25-9038-143C065CBE2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x300FE2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15792	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 850CE941-6EE5-4C25-9038-143C065CBE2F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15791	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2232215873-1277521637-1007958160-801004550 Account Name: 850CE941-6EE5-4C25-9038-143C065CBE2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x300F7E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15790	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2232215873-1277521637-1007958160-801004550 Account Name: 850CE941-6EE5-4C25-9038-143C065CBE2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x300F7E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15789	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2232215873-1277521637-1007958160-801004550 Account Name: 850CE941-6EE5-4C25-9038-143C065CBE2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x300F7E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15788	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 850CE941-6EE5-4C25-9038-143C065CBE2F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15787	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2232215873-1277521637-1007958160-801004550 Account Name: 850CE941-6EE5-4C25-9038-143C065CBE2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x300F35 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15786	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2232215873-1277521637-1007958160-801004550 Account Name: 850CE941-6EE5-4C25-9038-143C065CBE2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x300F35 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15785	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2232215873-1277521637-1007958160-801004550 Account Name: 850CE941-6EE5-4C25-9038-143C065CBE2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x300F35 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15784	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 850CE941-6EE5-4C25-9038-143C065CBE2F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15783	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2232215873-1277521637-1007958160-801004550 Account Name: 850CE941-6EE5-4C25-9038-143C065CBE2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x300E89 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15782	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2232215873-1277521637-1007958160-801004550 Account Name: 850CE941-6EE5-4C25-9038-143C065CBE2F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x300E89 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15781	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 850CE941-6EE5-4C25-9038-143C065CBE2F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15780	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-144729317-1270421830-363891887-2856474302 Account Name: 08A064E5-1946-4BB9-AF8C-B015BE5642AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DC91B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15779	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:24 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2582705094-1158892540-1651069342-3918004028 Account Name: 99F0F3C6-4BFC-4513-9E51-69623CFF87E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C960C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15778	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x2F5E80 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59844 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15777	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x2F5E80 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15776	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1267796822-1283974240-202472584-1951823118 Account Name: 4B910B56-E460-4C87-887C-110C0E755674 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DB2ED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15775	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:40:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-144729317-1270421830-363891887-2856474302 Account Name: 08A064E5-1946-4BB9-AF8C-B015BE5642AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EF9CF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15774	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-144729317-1270421830-363891887-2856474302 Account Name: 08A064E5-1946-4BB9-AF8C-B015BE5642AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EF9CF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15773	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-144729317-1270421830-363891887-2856474302 Account Name: 08A064E5-1946-4BB9-AF8C-B015BE5642AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EF9CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15772	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 08A064E5-1946-4BB9-AF8C-B015BE5642AA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15771	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-872344647-1101025515-118933639-534222260 Account Name: 33FEEC47-50EB-41A0-87C8-1607B495D71F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D1766 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15770	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:44 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1267796822-1283974240-202472584-1951823118 Account Name: 4B910B56-E460-4C87-887C-110C0E755674 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB665 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15769	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:44 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1267796822-1283974240-202472584-1951823118 Account Name: 4B910B56-E460-4C87-887C-110C0E755674 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB665 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15768	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1267796822-1283974240-202472584-1951823118 Account Name: 4B910B56-E460-4C87-887C-110C0E755674 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB665 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15767	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4B910B56-E460-4C87-887C-110C0E755674 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15766	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4213191230-1127673633-553834154-2638547238 Account Name: FB20323E-EF21-4336-AAD6-02212609459D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3DFF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15765	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4213191230-1127673633-553834154-2638547238 Account Name: FB20323E-EF21-4336-AAD6-02212609459D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E079C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15764	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4213191230-1127673633-553834154-2638547238 Account Name: FB20323E-EF21-4336-AAD6-02212609459D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E079C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15763	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4213191230-1127673633-553834154-2638547238 Account Name: FB20323E-EF21-4336-AAD6-02212609459D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E079C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15762	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FB20323E-EF21-4336-AAD6-02212609459D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15761	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-144729317-1270421830-363891887-2856474302 Account Name: 08A064E5-1946-4BB9-AF8C-B015BE5642AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DED3E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15760	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-144729317-1270421830-363891887-2856474302 Account Name: 08A064E5-1946-4BB9-AF8C-B015BE5642AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DED3E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15759	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-144729317-1270421830-363891887-2856474302 Account Name: 08A064E5-1946-4BB9-AF8C-B015BE5642AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DED3E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15758	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 08A064E5-1946-4BB9-AF8C-B015BE5642AA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15757	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1267796822-1283974240-202472584-1951823118 Account Name: 4B910B56-E460-4C87-887C-110C0E755674 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DD51D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15756	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1267796822-1283974240-202472584-1951823118 Account Name: 4B910B56-E460-4C87-887C-110C0E755674 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DD51D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15755	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1267796822-1283974240-202472584-1951823118 Account Name: 4B910B56-E460-4C87-887C-110C0E755674 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DD51D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15754	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4B910B56-E460-4C87-887C-110C0E755674 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15753	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-144729317-1270421830-363891887-2856474302 Account Name: 08A064E5-1946-4BB9-AF8C-B015BE5642AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DC0BB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15752	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-144729317-1270421830-363891887-2856474302 Account Name: 08A064E5-1946-4BB9-AF8C-B015BE5642AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DC91B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15751	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-144729317-1270421830-363891887-2856474302 Account Name: 08A064E5-1946-4BB9-AF8C-B015BE5642AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DC91B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15750	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 08A064E5-1946-4BB9-AF8C-B015BE5642AA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15749	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-144729317-1270421830-363891887-2856474302 Account Name: 08A064E5-1946-4BB9-AF8C-B015BE5642AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DC75E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15748	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-144729317-1270421830-363891887-2856474302 Account Name: 08A064E5-1946-4BB9-AF8C-B015BE5642AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DC75E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15747	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-144729317-1270421830-363891887-2856474302 Account Name: 08A064E5-1946-4BB9-AF8C-B015BE5642AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DC75E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15746	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 08A064E5-1946-4BB9-AF8C-B015BE5642AA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15745	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-144729317-1270421830-363891887-2856474302 Account Name: 08A064E5-1946-4BB9-AF8C-B015BE5642AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DC60E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15744	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-144729317-1270421830-363891887-2856474302 Account Name: 08A064E5-1946-4BB9-AF8C-B015BE5642AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DC60E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15743	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-144729317-1270421830-363891887-2856474302 Account Name: 08A064E5-1946-4BB9-AF8C-B015BE5642AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DC60E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15742	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 08A064E5-1946-4BB9-AF8C-B015BE5642AA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15741	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-144729317-1270421830-363891887-2856474302 Account Name: 08A064E5-1946-4BB9-AF8C-B015BE5642AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DC0BB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15740	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-144729317-1270421830-363891887-2856474302 Account Name: 08A064E5-1946-4BB9-AF8C-B015BE5642AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DC0BB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15739	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 08A064E5-1946-4BB9-AF8C-B015BE5642AA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15738	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1267796822-1283974240-202472584-1951823118 Account Name: 4B910B56-E460-4C87-887C-110C0E755674 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DAB48 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15737	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1267796822-1283974240-202472584-1951823118 Account Name: 4B910B56-E460-4C87-887C-110C0E755674 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DB2ED Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15736	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1267796822-1283974240-202472584-1951823118 Account Name: 4B910B56-E460-4C87-887C-110C0E755674 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DB2ED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15735	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4B910B56-E460-4C87-887C-110C0E755674 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15734	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1267796822-1283974240-202472584-1951823118 Account Name: 4B910B56-E460-4C87-887C-110C0E755674 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DB09F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15733	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1267796822-1283974240-202472584-1951823118 Account Name: 4B910B56-E460-4C87-887C-110C0E755674 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DB09F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15732	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1267796822-1283974240-202472584-1951823118 Account Name: 4B910B56-E460-4C87-887C-110C0E755674 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DB09F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15731	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4B910B56-E460-4C87-887C-110C0E755674 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15730	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1267796822-1283974240-202472584-1951823118 Account Name: 4B910B56-E460-4C87-887C-110C0E755674 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DAEC0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15729	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1267796822-1283974240-202472584-1951823118 Account Name: 4B910B56-E460-4C87-887C-110C0E755674 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DAEC0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15728	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1267796822-1283974240-202472584-1951823118 Account Name: 4B910B56-E460-4C87-887C-110C0E755674 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DAEC0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15727	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4B910B56-E460-4C87-887C-110C0E755674 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15726	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1267796822-1283974240-202472584-1951823118 Account Name: 4B910B56-E460-4C87-887C-110C0E755674 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DAB48 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15725	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1267796822-1283974240-202472584-1951823118 Account Name: 4B910B56-E460-4C87-887C-110C0E755674 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DAB48 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15724	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4B910B56-E460-4C87-887C-110C0E755674 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15723	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-872344647-1101025515-118933639-534222260 Account Name: 33FEEC47-50EB-41A0-87C8-1607B495D71F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DA6D1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15722	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-872344647-1101025515-118933639-534222260 Account Name: 33FEEC47-50EB-41A0-87C8-1607B495D71F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DA6D1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15721	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-872344647-1101025515-118933639-534222260 Account Name: 33FEEC47-50EB-41A0-87C8-1607B495D71F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DA6D1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15720	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33FEEC47-50EB-41A0-87C8-1607B495D71F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15719	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4213191230-1127673633-553834154-2638547238 Account Name: FB20323E-EF21-4336-AAD6-02212609459D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D576D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15718	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4213191230-1127673633-553834154-2638547238 Account Name: FB20323E-EF21-4336-AAD6-02212609459D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D576D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15717	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4213191230-1127673633-553834154-2638547238 Account Name: FB20323E-EF21-4336-AAD6-02212609459D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D576D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15716	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FB20323E-EF21-4336-AAD6-02212609459D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15715	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4213191230-1127673633-553834154-2638547238 Account Name: FB20323E-EF21-4336-AAD6-02212609459D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3938 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15714	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4213191230-1127673633-553834154-2638547238 Account Name: FB20323E-EF21-4336-AAD6-02212609459D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3DFF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15713	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4213191230-1127673633-553834154-2638547238 Account Name: FB20323E-EF21-4336-AAD6-02212609459D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3DFF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15712	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FB20323E-EF21-4336-AAD6-02212609459D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15711	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4213191230-1127673633-553834154-2638547238 Account Name: FB20323E-EF21-4336-AAD6-02212609459D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3C6E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15710	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4213191230-1127673633-553834154-2638547238 Account Name: FB20323E-EF21-4336-AAD6-02212609459D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3C6E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15709	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4213191230-1127673633-553834154-2638547238 Account Name: FB20323E-EF21-4336-AAD6-02212609459D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3C6E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15708	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FB20323E-EF21-4336-AAD6-02212609459D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15707	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4213191230-1127673633-553834154-2638547238 Account Name: FB20323E-EF21-4336-AAD6-02212609459D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3B48 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15706	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4213191230-1127673633-553834154-2638547238 Account Name: FB20323E-EF21-4336-AAD6-02212609459D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3B48 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15705	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4213191230-1127673633-553834154-2638547238 Account Name: FB20323E-EF21-4336-AAD6-02212609459D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3B48 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15704	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FB20323E-EF21-4336-AAD6-02212609459D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15703	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4213191230-1127673633-553834154-2638547238 Account Name: FB20323E-EF21-4336-AAD6-02212609459D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3938 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15702	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4213191230-1127673633-553834154-2638547238 Account Name: FB20323E-EF21-4336-AAD6-02212609459D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D3938 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15701	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FB20323E-EF21-4336-AAD6-02212609459D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15700	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-872344647-1101025515-118933639-534222260 Account Name: 33FEEC47-50EB-41A0-87C8-1607B495D71F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D24ED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15699	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-872344647-1101025515-118933639-534222260 Account Name: 33FEEC47-50EB-41A0-87C8-1607B495D71F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D24ED Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15698	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-872344647-1101025515-118933639-534222260 Account Name: 33FEEC47-50EB-41A0-87C8-1607B495D71F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D24ED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15697	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33FEEC47-50EB-41A0-87C8-1607B495D71F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15696	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-872344647-1101025515-118933639-534222260 Account Name: 33FEEC47-50EB-41A0-87C8-1607B495D71F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D1611 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15695	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-872344647-1101025515-118933639-534222260 Account Name: 33FEEC47-50EB-41A0-87C8-1607B495D71F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D1766 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15694	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-872344647-1101025515-118933639-534222260 Account Name: 33FEEC47-50EB-41A0-87C8-1607B495D71F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D1766 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15693	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33FEEC47-50EB-41A0-87C8-1607B495D71F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15692	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-872344647-1101025515-118933639-534222260 Account Name: 33FEEC47-50EB-41A0-87C8-1607B495D71F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D1709 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15691	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-872344647-1101025515-118933639-534222260 Account Name: 33FEEC47-50EB-41A0-87C8-1607B495D71F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D1709 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15690	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-872344647-1101025515-118933639-534222260 Account Name: 33FEEC47-50EB-41A0-87C8-1607B495D71F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D1709 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15689	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33FEEC47-50EB-41A0-87C8-1607B495D71F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15688	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-872344647-1101025515-118933639-534222260 Account Name: 33FEEC47-50EB-41A0-87C8-1607B495D71F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D16B8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15687	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-872344647-1101025515-118933639-534222260 Account Name: 33FEEC47-50EB-41A0-87C8-1607B495D71F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D16B8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15686	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-872344647-1101025515-118933639-534222260 Account Name: 33FEEC47-50EB-41A0-87C8-1607B495D71F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D16B8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15685	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33FEEC47-50EB-41A0-87C8-1607B495D71F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15684	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-872344647-1101025515-118933639-534222260 Account Name: 33FEEC47-50EB-41A0-87C8-1607B495D71F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D1611 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15683	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-872344647-1101025515-118933639-534222260 Account Name: 33FEEC47-50EB-41A0-87C8-1607B495D71F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D1611 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15682	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33FEEC47-50EB-41A0-87C8-1607B495D71F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15681	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2582705094-1158892540-1651069342-3918004028 Account Name: 99F0F3C6-4BFC-4513-9E51-69623CFF87E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CF095 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15680	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2582705094-1158892540-1651069342-3918004028 Account Name: 99F0F3C6-4BFC-4513-9E51-69623CFF87E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CF095 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15679	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2582705094-1158892540-1651069342-3918004028 Account Name: 99F0F3C6-4BFC-4513-9E51-69623CFF87E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CF095 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15678	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 99F0F3C6-4BFC-4513-9E51-69623CFF87E9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15677	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2582705094-1158892540-1651069342-3918004028 Account Name: 99F0F3C6-4BFC-4513-9E51-69623CFF87E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CA3F3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15676	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2582705094-1158892540-1651069342-3918004028 Account Name: 99F0F3C6-4BFC-4513-9E51-69623CFF87E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CA3F3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15675	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2582705094-1158892540-1651069342-3918004028 Account Name: 99F0F3C6-4BFC-4513-9E51-69623CFF87E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2CA3F3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15674	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 99F0F3C6-4BFC-4513-9E51-69623CFF87E9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15673	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2582705094-1158892540-1651069342-3918004028 Account Name: 99F0F3C6-4BFC-4513-9E51-69623CFF87E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C94B4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15672	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2582705094-1158892540-1651069342-3918004028 Account Name: 99F0F3C6-4BFC-4513-9E51-69623CFF87E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C960C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15671	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2582705094-1158892540-1651069342-3918004028 Account Name: 99F0F3C6-4BFC-4513-9E51-69623CFF87E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C960C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15670	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 99F0F3C6-4BFC-4513-9E51-69623CFF87E9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15669	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2582705094-1158892540-1651069342-3918004028 Account Name: 99F0F3C6-4BFC-4513-9E51-69623CFF87E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C95A9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15668	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2582705094-1158892540-1651069342-3918004028 Account Name: 99F0F3C6-4BFC-4513-9E51-69623CFF87E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C95A9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15667	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2582705094-1158892540-1651069342-3918004028 Account Name: 99F0F3C6-4BFC-4513-9E51-69623CFF87E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C95A9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15666	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 99F0F3C6-4BFC-4513-9E51-69623CFF87E9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15665	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2582705094-1158892540-1651069342-3918004028 Account Name: 99F0F3C6-4BFC-4513-9E51-69623CFF87E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C9560 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15664	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2582705094-1158892540-1651069342-3918004028 Account Name: 99F0F3C6-4BFC-4513-9E51-69623CFF87E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C9560 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15663	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2582705094-1158892540-1651069342-3918004028 Account Name: 99F0F3C6-4BFC-4513-9E51-69623CFF87E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C9560 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15662	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 99F0F3C6-4BFC-4513-9E51-69623CFF87E9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15661	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2582705094-1158892540-1651069342-3918004028 Account Name: 99F0F3C6-4BFC-4513-9E51-69623CFF87E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C94B4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15660	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2582705094-1158892540-1651069342-3918004028 Account Name: 99F0F3C6-4BFC-4513-9E51-69623CFF87E9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C94B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15659	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 99F0F3C6-4BFC-4513-9E51-69623CFF87E9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15658	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x29C0D7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15657	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:39:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-594990991-1193620890-3419975351-874882193 Account Name: 2376D78F-359A-4725-B7AE-D8CB91A42534 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B582F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15656	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-594990991-1193620890-3419975351-874882193 Account Name: 2376D78F-359A-4725-B7AE-D8CB91A42534 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C0220 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15655	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-594990991-1193620890-3419975351-874882193 Account Name: 2376D78F-359A-4725-B7AE-D8CB91A42534 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C0220 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15654	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-594990991-1193620890-3419975351-874882193 Account Name: 2376D78F-359A-4725-B7AE-D8CB91A42534 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C0220 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15653	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2376D78F-359A-4725-B7AE-D8CB91A42534 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15652	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-440337795-1292090382-111176067-2386553566 Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BF798 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15651	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-440337795-1292090382-111176067-2386553566 Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BF798 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15650	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-440337795-1292090382-111176067-2386553566 Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BF798 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15649	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15648	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-608286733-1260490104-1708525702-1747696903 Account Name: 2441B80D-8D78-4B21-8608-D66507BD2B68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BC0B4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15647	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-608286733-1260490104-1708525702-1747696903 Account Name: 2441B80D-8D78-4B21-8608-D66507BD2B68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BC0B4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15646	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-608286733-1260490104-1708525702-1747696903 Account Name: 2441B80D-8D78-4B21-8608-D66507BD2B68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BC0B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15645	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2441B80D-8D78-4B21-8608-D66507BD2B68 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15644	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-594990991-1193620890-3419975351-874882193 Account Name: 2376D78F-359A-4725-B7AE-D8CB91A42534 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B6571 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15643	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:44 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-594990991-1193620890-3419975351-874882193 Account Name: 2376D78F-359A-4725-B7AE-D8CB91A42534 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B6571 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15642	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-594990991-1193620890-3419975351-874882193 Account Name: 2376D78F-359A-4725-B7AE-D8CB91A42534 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B6571 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15641	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2376D78F-359A-4725-B7AE-D8CB91A42534 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15640	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-594990991-1193620890-3419975351-874882193 Account Name: 2376D78F-359A-4725-B7AE-D8CB91A42534 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B56E1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15639	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:44 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-594990991-1193620890-3419975351-874882193 Account Name: 2376D78F-359A-4725-B7AE-D8CB91A42534 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B582F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15638	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-594990991-1193620890-3419975351-874882193 Account Name: 2376D78F-359A-4725-B7AE-D8CB91A42534 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B582F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15637	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2376D78F-359A-4725-B7AE-D8CB91A42534 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15636	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-594990991-1193620890-3419975351-874882193 Account Name: 2376D78F-359A-4725-B7AE-D8CB91A42534 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B57D4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15635	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:44 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-594990991-1193620890-3419975351-874882193 Account Name: 2376D78F-359A-4725-B7AE-D8CB91A42534 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B57D4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15634	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-594990991-1193620890-3419975351-874882193 Account Name: 2376D78F-359A-4725-B7AE-D8CB91A42534 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B57D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15633	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2376D78F-359A-4725-B7AE-D8CB91A42534 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15632	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-594990991-1193620890-3419975351-874882193 Account Name: 2376D78F-359A-4725-B7AE-D8CB91A42534 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B578B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15631	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-594990991-1193620890-3419975351-874882193 Account Name: 2376D78F-359A-4725-B7AE-D8CB91A42534 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B578B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15630	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-594990991-1193620890-3419975351-874882193 Account Name: 2376D78F-359A-4725-B7AE-D8CB91A42534 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B578B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15629	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2376D78F-359A-4725-B7AE-D8CB91A42534 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15628	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-594990991-1193620890-3419975351-874882193 Account Name: 2376D78F-359A-4725-B7AE-D8CB91A42534 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B56E1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15627	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-594990991-1193620890-3419975351-874882193 Account Name: 2376D78F-359A-4725-B7AE-D8CB91A42534 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B56E1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15626	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2376D78F-359A-4725-B7AE-D8CB91A42534 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15625	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-440337795-1292090382-111176067-2386553566 Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B4821 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15624	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:41 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-440337795-1292090382-111176067-2386553566 Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B4821 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15623	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:41 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-440337795-1292090382-111176067-2386553566 Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B4821 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15622	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:41 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15621	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:41 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-440337795-1292090382-111176067-2386553566 Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B31CB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15620	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-440337795-1292090382-111176067-2386553566 Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B3A26 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15619	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-440337795-1292090382-111176067-2386553566 Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B3A26 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15618	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15617	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-440337795-1292090382-111176067-2386553566 Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B3808 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15616	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-440337795-1292090382-111176067-2386553566 Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B3808 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15615	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-440337795-1292090382-111176067-2386553566 Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B3808 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15614	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15613	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-440337795-1292090382-111176067-2386553566 Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B34D8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15612	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-440337795-1292090382-111176067-2386553566 Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B34D8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15611	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-440337795-1292090382-111176067-2386553566 Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B34D8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15610	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15609	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-440337795-1292090382-111176067-2386553566 Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B31CB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15608	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-440337795-1292090382-111176067-2386553566 Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B31CB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15607	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1A3F0583-BC0E-4D03-8369-A006DEEA3F8E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15606	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-608286733-1260490104-1708525702-1747696903 Account Name: 2441B80D-8D78-4B21-8608-D66507BD2B68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B2D71 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15605	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-608286733-1260490104-1708525702-1747696903 Account Name: 2441B80D-8D78-4B21-8608-D66507BD2B68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B2D71 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15604	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-608286733-1260490104-1708525702-1747696903 Account Name: 2441B80D-8D78-4B21-8608-D66507BD2B68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B2D71 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15603	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2441B80D-8D78-4B21-8608-D66507BD2B68 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15602	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-608286733-1260490104-1708525702-1747696903 Account Name: 2441B80D-8D78-4B21-8608-D66507BD2B68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B023D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15601	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-608286733-1260490104-1708525702-1747696903 Account Name: 2441B80D-8D78-4B21-8608-D66507BD2B68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B03FF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15600	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-608286733-1260490104-1708525702-1747696903 Account Name: 2441B80D-8D78-4B21-8608-D66507BD2B68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B03FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15599	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2441B80D-8D78-4B21-8608-D66507BD2B68 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15598	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-608286733-1260490104-1708525702-1747696903 Account Name: 2441B80D-8D78-4B21-8608-D66507BD2B68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B03A6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15597	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-608286733-1260490104-1708525702-1747696903 Account Name: 2441B80D-8D78-4B21-8608-D66507BD2B68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B03A6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15596	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-608286733-1260490104-1708525702-1747696903 Account Name: 2441B80D-8D78-4B21-8608-D66507BD2B68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B03A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15595	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2441B80D-8D78-4B21-8608-D66507BD2B68 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15594	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-608286733-1260490104-1708525702-1747696903 Account Name: 2441B80D-8D78-4B21-8608-D66507BD2B68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B035B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15593	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-608286733-1260490104-1708525702-1747696903 Account Name: 2441B80D-8D78-4B21-8608-D66507BD2B68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B035B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15592	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-608286733-1260490104-1708525702-1747696903 Account Name: 2441B80D-8D78-4B21-8608-D66507BD2B68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B035B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15591	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2441B80D-8D78-4B21-8608-D66507BD2B68 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15590	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-608286733-1260490104-1708525702-1747696903 Account Name: 2441B80D-8D78-4B21-8608-D66507BD2B68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B023D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15589	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-608286733-1260490104-1708525702-1747696903 Account Name: 2441B80D-8D78-4B21-8608-D66507BD2B68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B023D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15588	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2441B80D-8D78-4B21-8608-D66507BD2B68 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15587	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1574899819-1216537038-3674278281-3750295841 Account Name: 5DDF106B-E1CE-4882-8909-01DB21F988DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x288835 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15586	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:28 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1779003171-1261910077-2173243818-2894163664 Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x285065 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15585	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3704748346-1087511918-1060581025-1568703654 Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25FB46 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15584	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1779003171-1261910077-2173243818-2894163664 Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29DA9F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15583	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:07 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1779003171-1261910077-2173243818-2894163664 Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29DA9F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15582	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:07 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1779003171-1261910077-2173243818-2894163664 Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29DA9F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15581	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:07 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15580	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:07 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x29C0D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59808 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15579	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x29C0D7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15578	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3632614339-1095345966-2860518818-2808831441 Account Name: D8854BC3-A72E-4149-A20D-80AAD15D6BA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27B0D5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15577	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:38:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1574899819-1216537038-3674278281-3750295841 Account Name: 5DDF106B-E1CE-4882-8909-01DB21F988DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x295CD5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15576	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1574899819-1216537038-3674278281-3750295841 Account Name: 5DDF106B-E1CE-4882-8909-01DB21F988DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x295CD5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15575	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:53 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1574899819-1216537038-3674278281-3750295841 Account Name: 5DDF106B-E1CE-4882-8909-01DB21F988DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x295CD5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15574	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:53 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5DDF106B-E1CE-4882-8909-01DB21F988DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15573	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:53 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3704748346-1087511918-1060581025-1568703654 Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x294BCC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15572	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3704748346-1087511918-1060581025-1568703654 Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x294BCC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15571	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:53 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3704748346-1087511918-1060581025-1568703654 Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x294BCC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15570	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:53 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15569	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:53 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x242762 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15568	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1779003171-1261910077-2173243818-2894163664 Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28BAD5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15567	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:47 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1779003171-1261910077-2173243818-2894163664 Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28BAD5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15566	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:47 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1779003171-1261910077-2173243818-2894163664 Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28BAD5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15565	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:47 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15564	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:47 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1574899819-1216537038-3674278281-3750295841 Account Name: 5DDF106B-E1CE-4882-8909-01DB21F988DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x289716 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15563	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:44 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1574899819-1216537038-3674278281-3750295841 Account Name: 5DDF106B-E1CE-4882-8909-01DB21F988DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x289716 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15562	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1574899819-1216537038-3674278281-3750295841 Account Name: 5DDF106B-E1CE-4882-8909-01DB21F988DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x289716 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15561	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5DDF106B-E1CE-4882-8909-01DB21F988DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15560	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1574899819-1216537038-3674278281-3750295841 Account Name: 5DDF106B-E1CE-4882-8909-01DB21F988DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2886E7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15559	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1574899819-1216537038-3674278281-3750295841 Account Name: 5DDF106B-E1CE-4882-8909-01DB21F988DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x288835 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15558	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1574899819-1216537038-3674278281-3750295841 Account Name: 5DDF106B-E1CE-4882-8909-01DB21F988DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x288835 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15557	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5DDF106B-E1CE-4882-8909-01DB21F988DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15556	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1574899819-1216537038-3674278281-3750295841 Account Name: 5DDF106B-E1CE-4882-8909-01DB21F988DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2887DC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15555	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1574899819-1216537038-3674278281-3750295841 Account Name: 5DDF106B-E1CE-4882-8909-01DB21F988DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2887DC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15554	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1574899819-1216537038-3674278281-3750295841 Account Name: 5DDF106B-E1CE-4882-8909-01DB21F988DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2887DC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15553	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5DDF106B-E1CE-4882-8909-01DB21F988DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15552	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1574899819-1216537038-3674278281-3750295841 Account Name: 5DDF106B-E1CE-4882-8909-01DB21F988DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x288793 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15551	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1574899819-1216537038-3674278281-3750295841 Account Name: 5DDF106B-E1CE-4882-8909-01DB21F988DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x288793 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15550	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1574899819-1216537038-3674278281-3750295841 Account Name: 5DDF106B-E1CE-4882-8909-01DB21F988DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x288793 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15549	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5DDF106B-E1CE-4882-8909-01DB21F988DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15548	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1574899819-1216537038-3674278281-3750295841 Account Name: 5DDF106B-E1CE-4882-8909-01DB21F988DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2886E7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15547	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1574899819-1216537038-3674278281-3750295841 Account Name: 5DDF106B-E1CE-4882-8909-01DB21F988DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2886E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15546	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5DDF106B-E1CE-4882-8909-01DB21F988DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15545	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x25D660 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15544	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1FC6AB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15543	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1779003171-1261910077-2173243818-2894163664 Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x285EFF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15542	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1779003171-1261910077-2173243818-2894163664 Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x285EFF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15541	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1779003171-1261910077-2173243818-2894163664 Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x285EFF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15540	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15539	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1779003171-1261910077-2173243818-2894163664 Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x284F1E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15538	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1779003171-1261910077-2173243818-2894163664 Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x285065 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15537	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1779003171-1261910077-2173243818-2894163664 Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x285065 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15536	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15535	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1779003171-1261910077-2173243818-2894163664 Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28500C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15534	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1779003171-1261910077-2173243818-2894163664 Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28500C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15533	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1779003171-1261910077-2173243818-2894163664 Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28500C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15532	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15531	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1779003171-1261910077-2173243818-2894163664 Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x284FC3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15530	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1779003171-1261910077-2173243818-2894163664 Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x284FC3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15529	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1779003171-1261910077-2173243818-2894163664 Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x284FC3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15528	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15527	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1779003171-1261910077-2173243818-2894163664 Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x284F1E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15526	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1779003171-1261910077-2173243818-2894163664 Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x284F1E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15525	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A096F23-383D-4B37-AA11-8981D06E81AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15524	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3632614339-1095345966-2860518818-2808831441 Account Name: D8854BC3-A72E-4149-A20D-80AAD15D6BA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x281FEC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15523	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3632614339-1095345966-2860518818-2808831441 Account Name: D8854BC3-A72E-4149-A20D-80AAD15D6BA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x281FEC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15522	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3632614339-1095345966-2860518818-2808831441 Account Name: D8854BC3-A72E-4149-A20D-80AAD15D6BA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x281FEC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15521	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D8854BC3-A72E-4149-A20D-80AAD15D6BA7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15520	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3632614339-1095345966-2860518818-2808831441 Account Name: D8854BC3-A72E-4149-A20D-80AAD15D6BA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27BE0C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15519	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3632614339-1095345966-2860518818-2808831441 Account Name: D8854BC3-A72E-4149-A20D-80AAD15D6BA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27BE0C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15518	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3632614339-1095345966-2860518818-2808831441 Account Name: D8854BC3-A72E-4149-A20D-80AAD15D6BA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27BE0C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15517	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D8854BC3-A72E-4149-A20D-80AAD15D6BA7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15516	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3632614339-1095345966-2860518818-2808831441 Account Name: D8854BC3-A72E-4149-A20D-80AAD15D6BA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27AF89 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15515	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3632614339-1095345966-2860518818-2808831441 Account Name: D8854BC3-A72E-4149-A20D-80AAD15D6BA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27B0D5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15514	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3632614339-1095345966-2860518818-2808831441 Account Name: D8854BC3-A72E-4149-A20D-80AAD15D6BA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27B0D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15513	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D8854BC3-A72E-4149-A20D-80AAD15D6BA7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15512	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3632614339-1095345966-2860518818-2808831441 Account Name: D8854BC3-A72E-4149-A20D-80AAD15D6BA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27B07C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15511	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3632614339-1095345966-2860518818-2808831441 Account Name: D8854BC3-A72E-4149-A20D-80AAD15D6BA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27B07C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15510	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3632614339-1095345966-2860518818-2808831441 Account Name: D8854BC3-A72E-4149-A20D-80AAD15D6BA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27B07C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15509	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D8854BC3-A72E-4149-A20D-80AAD15D6BA7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15508	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3632614339-1095345966-2860518818-2808831441 Account Name: D8854BC3-A72E-4149-A20D-80AAD15D6BA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27B033 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15507	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3632614339-1095345966-2860518818-2808831441 Account Name: D8854BC3-A72E-4149-A20D-80AAD15D6BA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27B033 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15506	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3632614339-1095345966-2860518818-2808831441 Account Name: D8854BC3-A72E-4149-A20D-80AAD15D6BA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27B033 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15505	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D8854BC3-A72E-4149-A20D-80AAD15D6BA7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15504	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3632614339-1095345966-2860518818-2808831441 Account Name: D8854BC3-A72E-4149-A20D-80AAD15D6BA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27AF89 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15503	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3632614339-1095345966-2860518818-2808831441 Account Name: D8854BC3-A72E-4149-A20D-80AAD15D6BA7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27AF89 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15502	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D8854BC3-A72E-4149-A20D-80AAD15D6BA7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15501	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-325987715-1161542151-3618492587-1673315354 Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249D6A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15500	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-325987715-1161542151-3618492587-1673315354 Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27691B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15499	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:06 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-325987715-1161542151-3618492587-1673315354 Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27691B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15498	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-325987715-1161542151-3618492587-1673315354 Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27691B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15497	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15496	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:37:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x252918 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15495	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x252903 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15494	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x2528EC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15493	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x2528DB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15492	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x252956 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15491	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3704748346-1087511918-1060581025-1568703654 Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2748C6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15490	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3704748346-1087511918-1060581025-1568703654 Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2748C6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15489	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3704748346-1087511918-1060581025-1568703654 Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2748C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15488	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15487	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3135519331-1261210236-2137999023-612399123 Account Name: BAE43A63-8A7C-4B2C-AF46-6F7F13788024 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13CD97 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15486	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3135519331-1261210236-2137999023-612399123 Account Name: BAE43A63-8A7C-4B2C-AF46-6F7F13788024 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x129848 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15485	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26FA36 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15484	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26FA36 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15483	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26FA36 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15482	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15481	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:32 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-300871931-1290874793-3761665422-2765860781 Account Name: 11EEF0FB-2FA9-4CF1-8E75-36E0ADAFDBA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x174895 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15480	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-300871931-1290874793-3761665422-2765860781 Account Name: 11EEF0FB-2FA9-4CF1-8E75-36E0ADAFDBA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1686BF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15479	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26D45E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15478	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26D45E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15477	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26D45E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15476	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15475	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26CC71 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15474	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:29 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26CC71 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15473	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:29 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26CC71 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15472	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:29 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15471	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:29 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x2527E1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15470	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3704748346-1087511918-1060581025-1568703654 Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x265DD7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15469	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3704748346-1087511918-1060581025-1568703654 Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x265DD7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15468	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3704748346-1087511918-1060581025-1568703654 Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x265DD7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15467	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15466	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-522071570-1148182063-2012866730-1887305949 Account Name: 1F1E2E12-DE2F-446F-AAE8-F977DD007E70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AB66 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15465	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-522071570-1148182063-2012866730-1887305949 Account Name: 1F1E2E12-DE2F-446F-AAE8-F977DD007E70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x250110 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15464	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x252EC9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15463	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3704748346-1087511918-1060581025-1568703654 Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x260A4C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15462	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3704748346-1087511918-1060581025-1568703654 Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x260A4C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15461	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3704748346-1087511918-1060581025-1568703654 Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x260A4C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15460	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15459	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3704748346-1087511918-1060581025-1568703654 Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25F781 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15458	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3704748346-1087511918-1060581025-1568703654 Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25FB46 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15457	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3704748346-1087511918-1060581025-1568703654 Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25FB46 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15456	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15455	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3704748346-1087511918-1060581025-1568703654 Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25F905 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15454	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3704748346-1087511918-1060581025-1568703654 Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25F905 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15453	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3704748346-1087511918-1060581025-1568703654 Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25F905 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15452	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15451	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3704748346-1087511918-1060581025-1568703654 Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25F831 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15450	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3704748346-1087511918-1060581025-1568703654 Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25F831 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15449	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3704748346-1087511918-1060581025-1568703654 Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25F831 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15448	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15447	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3704748346-1087511918-1060581025-1568703654 Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25F781 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15446	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3704748346-1087511918-1060581025-1568703654 Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25F781 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15445	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCD1F93A-1D6E-40D2-A12E-373FA684805D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15444	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x25D660 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A619588F-B8D3-1FE0-309F-9BE9BFF6098E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59723 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15443	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:04 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x25D660 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15442	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:04 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x252A79 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15441	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:02 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-522071570-1148182063-2012866730-1887305949 Account Name: 1F1E2E12-DE2F-446F-AAE8-F977DD007E70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AB66 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15440	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:01 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-522071570-1148182063-2012866730-1887305949 Account Name: 1F1E2E12-DE2F-446F-AAE8-F977DD007E70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AB66 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15439	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:01 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1F1E2E12-DE2F-446F-AAE8-F977DD007E70 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15438	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:01 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-325987715-1161542151-3618492587-1673315354 Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25844A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15437	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-325987715-1161542151-3618492587-1673315354 Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25844A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15436	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:01 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-325987715-1161542151-3618492587-1673315354 Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25844A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15435	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:01 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15434	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:36:01 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x253FBB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15433	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x253FBB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EF194D98-FBB1-C1A4-2332-A5AD1502B55D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15432	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x253FBB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15431	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-522071570-1148182063-2012866730-1887305949 Account Name: 1F1E2E12-DE2F-446F-AAE8-F977DD007E70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x253CE0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15430	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-522071570-1148182063-2012866730-1887305949 Account Name: 1F1E2E12-DE2F-446F-AAE8-F977DD007E70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x253CE0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15429	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-522071570-1148182063-2012866730-1887305949 Account Name: 1F1E2E12-DE2F-446F-AAE8-F977DD007E70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x253CE0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15428	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1F1E2E12-DE2F-446F-AAE8-F977DD007E70 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15427	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-522071570-1148182063-2012866730-1887305949 Account Name: 1F1E2E12-DE2F-446F-AAE8-F977DD007E70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x253A9E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15426	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-522071570-1148182063-2012866730-1887305949 Account Name: 1F1E2E12-DE2F-446F-AAE8-F977DD007E70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x253A9E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15425	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-522071570-1148182063-2012866730-1887305949 Account Name: 1F1E2E12-DE2F-446F-AAE8-F977DD007E70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x253A9E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15424	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1F1E2E12-DE2F-446F-AAE8-F977DD007E70 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15423	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x252EC9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3A9920B1-538E-D2E2-E735-44389FAE6D28} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59754 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15422	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x252A9B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15421	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x252A9B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8866BF95-E417-3FC7-BA7B-CEEB9E97D4C7} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15420	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x252A79 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EF194D98-FBB1-C1A4-2332-A5AD1502B55D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15419	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x252A79 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15418	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x252956 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59759 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15417	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x252956 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15416	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x252918 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59758 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15415	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x252918 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15414	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x252903 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59758 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15413	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x252903 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15412	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x2528EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59758 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15411	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x2528EC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15410	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x2528DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59758 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15409	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x2528DB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15408	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x25280C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15407	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x25282D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15406	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x25281C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15405	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x25282D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59757 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15404	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x25282D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15403	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x25281C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59756 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15402	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x25281C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15401	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x25280C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59755 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15400	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x25280C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15399	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x2527E1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59754 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15398	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x2527E1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15397	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x250012 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15396	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-522071570-1148182063-2012866730-1887305949 Account Name: 1F1E2E12-DE2F-446F-AAE8-F977DD007E70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2502BC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15395	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-522071570-1148182063-2012866730-1887305949 Account Name: 1F1E2E12-DE2F-446F-AAE8-F977DD007E70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2502BC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15394	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-522071570-1148182063-2012866730-1887305949 Account Name: 1F1E2E12-DE2F-446F-AAE8-F977DD007E70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2502BC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15393	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1F1E2E12-DE2F-446F-AAE8-F977DD007E70 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15392	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-522071570-1148182063-2012866730-1887305949 Account Name: 1F1E2E12-DE2F-446F-AAE8-F977DD007E70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x250110 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15391	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-522071570-1148182063-2012866730-1887305949 Account Name: 1F1E2E12-DE2F-446F-AAE8-F977DD007E70 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x250110 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15390	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1F1E2E12-DE2F-446F-AAE8-F977DD007E70 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15389	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x250012 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C7A69790-4467-44BF-2CE5-FE9982930D05} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: RestrictedKrbHost/n-h2-805046-2@CBCI-805046-2.LOCAL Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15388	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x250012 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15387	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24D17C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15386	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24D17C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15385	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24D17C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15384	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15383	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-325987715-1161542151-3618492587-1673315354 Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24AB8A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15382	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-325987715-1161542151-3618492587-1673315354 Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24AB8A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15381	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-325987715-1161542151-3618492587-1673315354 Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24AB8A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15380	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15379	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-325987715-1161542151-3618492587-1673315354 Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249C23 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15378	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-325987715-1161542151-3618492587-1673315354 Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249D6A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15377	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:53 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-325987715-1161542151-3618492587-1673315354 Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249D6A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15376	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:53 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15375	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:53 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-325987715-1161542151-3618492587-1673315354 Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249D11 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15374	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-325987715-1161542151-3618492587-1673315354 Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249D11 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15373	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:53 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-325987715-1161542151-3618492587-1673315354 Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249D11 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15372	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:53 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15371	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:53 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-325987715-1161542151-3618492587-1673315354 Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249CC8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15370	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-325987715-1161542151-3618492587-1673315354 Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249CC8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15369	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:53 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-325987715-1161542151-3618492587-1673315354 Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249CC8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15368	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:53 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15367	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:53 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-325987715-1161542151-3618492587-1673315354 Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249C23 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15366	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:53 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-325987715-1161542151-3618492587-1673315354 Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249C23 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15365	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:53 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 136E2D83-BA07-453B-ABD0-ADD71AC4BC63 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15364	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:53 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-378360601-1197421459-1895767194-2804341298 Account Name: 168D5319-3393-475F-9A1C-FF7032DA26A7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2328F7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15363	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:52 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x243D61 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15362	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x243D61 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15361	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x243D61 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15360	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15359	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x242613 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15358	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x242762 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15357	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x242762 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15356	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15355	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x242709 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15354	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x242709 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15353	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x242709 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15352	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15351	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2426C0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15350	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2426C0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15349	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2426C0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15348	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15347	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x242613 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15346	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-904501456-1168224928-2723739792-455751355 Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x242613 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15345	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35E998D0-B2A0-45A1-90F8-58A2BB362A1B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15344	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2290363541-1281933221-1424465323-2549156889 Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191E0E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15343	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-378360601-1197421459-1895767194-2804341298 Account Name: 168D5319-3393-475F-9A1C-FF7032DA26A7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23E0C8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15342	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-378360601-1197421459-1895767194-2804341298 Account Name: 168D5319-3393-475F-9A1C-FF7032DA26A7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23E0C8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15341	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-378360601-1197421459-1895767194-2804341298 Account Name: 168D5319-3393-475F-9A1C-FF7032DA26A7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23E0C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15340	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 168D5319-3393-475F-9A1C-FF7032DA26A7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15339	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1140034231-1246210706-4137915569-4092007165 Account Name: 43F38AB7-AA92-4A47-B194-A3F6FD12E7F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x229F59 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15338	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-378360601-1197421459-1895767194-2804341298 Account Name: 168D5319-3393-475F-9A1C-FF7032DA26A7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23369A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15337	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-378360601-1197421459-1895767194-2804341298 Account Name: 168D5319-3393-475F-9A1C-FF7032DA26A7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23369A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15336	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-378360601-1197421459-1895767194-2804341298 Account Name: 168D5319-3393-475F-9A1C-FF7032DA26A7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23369A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15335	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 168D5319-3393-475F-9A1C-FF7032DA26A7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15334	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:38 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-378360601-1197421459-1895767194-2804341298 Account Name: 168D5319-3393-475F-9A1C-FF7032DA26A7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2327AE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15333	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-378360601-1197421459-1895767194-2804341298 Account Name: 168D5319-3393-475F-9A1C-FF7032DA26A7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2328F7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15332	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-378360601-1197421459-1895767194-2804341298 Account Name: 168D5319-3393-475F-9A1C-FF7032DA26A7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2328F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15331	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 168D5319-3393-475F-9A1C-FF7032DA26A7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15330	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-378360601-1197421459-1895767194-2804341298 Account Name: 168D5319-3393-475F-9A1C-FF7032DA26A7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23289C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15329	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-378360601-1197421459-1895767194-2804341298 Account Name: 168D5319-3393-475F-9A1C-FF7032DA26A7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23289C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15328	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-378360601-1197421459-1895767194-2804341298 Account Name: 168D5319-3393-475F-9A1C-FF7032DA26A7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23289C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15327	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 168D5319-3393-475F-9A1C-FF7032DA26A7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15326	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-378360601-1197421459-1895767194-2804341298 Account Name: 168D5319-3393-475F-9A1C-FF7032DA26A7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x232853 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15325	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-378360601-1197421459-1895767194-2804341298 Account Name: 168D5319-3393-475F-9A1C-FF7032DA26A7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x232853 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15324	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-378360601-1197421459-1895767194-2804341298 Account Name: 168D5319-3393-475F-9A1C-FF7032DA26A7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x232853 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15323	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 168D5319-3393-475F-9A1C-FF7032DA26A7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15322	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-378360601-1197421459-1895767194-2804341298 Account Name: 168D5319-3393-475F-9A1C-FF7032DA26A7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2327AE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15321	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-378360601-1197421459-1895767194-2804341298 Account Name: 168D5319-3393-475F-9A1C-FF7032DA26A7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2327AE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15320	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 168D5319-3393-475F-9A1C-FF7032DA26A7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15319	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:37 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1140034231-1246210706-4137915569-4092007165 Account Name: 43F38AB7-AA92-4A47-B194-A3F6FD12E7F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x230559 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15318	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1140034231-1246210706-4137915569-4092007165 Account Name: 43F38AB7-AA92-4A47-B194-A3F6FD12E7F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x230559 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15317	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1140034231-1246210706-4137915569-4092007165 Account Name: 43F38AB7-AA92-4A47-B194-A3F6FD12E7F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x230559 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15316	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 43F38AB7-AA92-4A47-B194-A3F6FD12E7F3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15315	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-753316273-1299558169-1605783702-302628130 Account Name: 2CE6B1B1-AF19-4D75-9650-B65F22BD0912 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF9059 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15314	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:34 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-753316273-1299558169-1605783702-302628130 Account Name: 2CE6B1B1-AF19-4D75-9650-B65F22BD0912 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEB82B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15313	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:34 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1140034231-1246210706-4137915569-4092007165 Account Name: 43F38AB7-AA92-4A47-B194-A3F6FD12E7F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22ADF8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15312	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1140034231-1246210706-4137915569-4092007165 Account Name: 43F38AB7-AA92-4A47-B194-A3F6FD12E7F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22ADF8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15311	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1140034231-1246210706-4137915569-4092007165 Account Name: 43F38AB7-AA92-4A47-B194-A3F6FD12E7F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22ADF8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15310	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 43F38AB7-AA92-4A47-B194-A3F6FD12E7F3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15309	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1FC6EC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15308	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1FC6D7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15307	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1FC6C0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15306	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CD247 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15305	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CD209 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15304	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CD1AC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15303	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CCD5F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15302	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CCD17 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15301	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CCCFB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15300	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CC847 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15299	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CC832 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15298	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CC81B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15297	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CC311 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15296	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CC2FB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15295	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CC1CC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15294	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CC1B5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15293	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1FC828 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15292	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CD301 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15291	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CC19E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15290	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CD2A4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15289	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CC18B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15288	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CCE15 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15287	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CC913 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15286	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CC70C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15285	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CC459 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15284	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1140034231-1246210706-4137915569-4092007165 Account Name: 43F38AB7-AA92-4A47-B194-A3F6FD12E7F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x229E0B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15283	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1140034231-1246210706-4137915569-4092007165 Account Name: 43F38AB7-AA92-4A47-B194-A3F6FD12E7F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x229F59 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15282	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1140034231-1246210706-4137915569-4092007165 Account Name: 43F38AB7-AA92-4A47-B194-A3F6FD12E7F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x229F59 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15281	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 43F38AB7-AA92-4A47-B194-A3F6FD12E7F3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15280	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1140034231-1246210706-4137915569-4092007165 Account Name: 43F38AB7-AA92-4A47-B194-A3F6FD12E7F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x229F00 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15279	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1140034231-1246210706-4137915569-4092007165 Account Name: 43F38AB7-AA92-4A47-B194-A3F6FD12E7F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x229F00 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15278	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1140034231-1246210706-4137915569-4092007165 Account Name: 43F38AB7-AA92-4A47-B194-A3F6FD12E7F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x229F00 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15277	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 43F38AB7-AA92-4A47-B194-A3F6FD12E7F3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15276	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1140034231-1246210706-4137915569-4092007165 Account Name: 43F38AB7-AA92-4A47-B194-A3F6FD12E7F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x229EB7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15275	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1140034231-1246210706-4137915569-4092007165 Account Name: 43F38AB7-AA92-4A47-B194-A3F6FD12E7F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x229EB7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15274	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1140034231-1246210706-4137915569-4092007165 Account Name: 43F38AB7-AA92-4A47-B194-A3F6FD12E7F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x229EB7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15273	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 43F38AB7-AA92-4A47-B194-A3F6FD12E7F3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15272	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1140034231-1246210706-4137915569-4092007165 Account Name: 43F38AB7-AA92-4A47-B194-A3F6FD12E7F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x229E0B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15271	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1140034231-1246210706-4137915569-4092007165 Account Name: 43F38AB7-AA92-4A47-B194-A3F6FD12E7F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x229E0B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15270	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 43F38AB7-AA92-4A47-B194-A3F6FD12E7F3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15269	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1785188376-1183818999-617910403-822379936 Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D14E1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15268	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3803453468-1246448108-3794634137-1515316466 Account Name: E2B4181C-49EC-4A4B-9985-2DE2F2E4515A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x212B58 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15267	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1375358331-1194116085-2145768067-279162643 Account Name: 51FA4D7B-C3F5-472C-83D2-E57F13AFA310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x210E94 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15266	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3803453468-1246448108-3794634137-1515316466 Account Name: E2B4181C-49EC-4A4B-9985-2DE2F2E4515A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21B784 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15265	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3803453468-1246448108-3794634137-1515316466 Account Name: E2B4181C-49EC-4A4B-9985-2DE2F2E4515A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21B784 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15264	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:19 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3803453468-1246448108-3794634137-1515316466 Account Name: E2B4181C-49EC-4A4B-9985-2DE2F2E4515A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21B784 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15263	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:19 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E2B4181C-49EC-4A4B-9985-2DE2F2E4515A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15262	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:19 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1375358331-1194116085-2145768067-279162643 Account Name: 51FA4D7B-C3F5-472C-83D2-E57F13AFA310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21857B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15261	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1375358331-1194116085-2145768067-279162643 Account Name: 51FA4D7B-C3F5-472C-83D2-E57F13AFA310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21857B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15260	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1375358331-1194116085-2145768067-279162643 Account Name: 51FA4D7B-C3F5-472C-83D2-E57F13AFA310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x21857B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15259	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51FA4D7B-C3F5-472C-83D2-E57F13AFA310 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15258	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3803453468-1246448108-3794634137-1515316466 Account Name: E2B4181C-49EC-4A4B-9985-2DE2F2E4515A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x213AA0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15257	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3803453468-1246448108-3794634137-1515316466 Account Name: E2B4181C-49EC-4A4B-9985-2DE2F2E4515A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x213AA0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15256	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3803453468-1246448108-3794634137-1515316466 Account Name: E2B4181C-49EC-4A4B-9985-2DE2F2E4515A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x213AA0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15255	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E2B4181C-49EC-4A4B-9985-2DE2F2E4515A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15254	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3803453468-1246448108-3794634137-1515316466 Account Name: E2B4181C-49EC-4A4B-9985-2DE2F2E4515A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x212A0A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15253	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3803453468-1246448108-3794634137-1515316466 Account Name: E2B4181C-49EC-4A4B-9985-2DE2F2E4515A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x212B58 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15252	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3803453468-1246448108-3794634137-1515316466 Account Name: E2B4181C-49EC-4A4B-9985-2DE2F2E4515A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x212B58 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15251	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E2B4181C-49EC-4A4B-9985-2DE2F2E4515A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15250	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3803453468-1246448108-3794634137-1515316466 Account Name: E2B4181C-49EC-4A4B-9985-2DE2F2E4515A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x212AFF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15249	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3803453468-1246448108-3794634137-1515316466 Account Name: E2B4181C-49EC-4A4B-9985-2DE2F2E4515A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x212AFF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15248	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3803453468-1246448108-3794634137-1515316466 Account Name: E2B4181C-49EC-4A4B-9985-2DE2F2E4515A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x212AFF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15247	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E2B4181C-49EC-4A4B-9985-2DE2F2E4515A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15246	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3803453468-1246448108-3794634137-1515316466 Account Name: E2B4181C-49EC-4A4B-9985-2DE2F2E4515A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x212AB6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15245	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3803453468-1246448108-3794634137-1515316466 Account Name: E2B4181C-49EC-4A4B-9985-2DE2F2E4515A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x212AB6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15244	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3803453468-1246448108-3794634137-1515316466 Account Name: E2B4181C-49EC-4A4B-9985-2DE2F2E4515A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x212AB6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15243	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E2B4181C-49EC-4A4B-9985-2DE2F2E4515A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15242	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3803453468-1246448108-3794634137-1515316466 Account Name: E2B4181C-49EC-4A4B-9985-2DE2F2E4515A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x212A0A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15241	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3803453468-1246448108-3794634137-1515316466 Account Name: E2B4181C-49EC-4A4B-9985-2DE2F2E4515A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x212A0A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15240	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E2B4181C-49EC-4A4B-9985-2DE2F2E4515A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15239	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1375358331-1194116085-2145768067-279162643 Account Name: 51FA4D7B-C3F5-472C-83D2-E57F13AFA310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x211D3B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15238	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1375358331-1194116085-2145768067-279162643 Account Name: 51FA4D7B-C3F5-472C-83D2-E57F13AFA310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x211D3B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15237	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1375358331-1194116085-2145768067-279162643 Account Name: 51FA4D7B-C3F5-472C-83D2-E57F13AFA310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x211D3B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15236	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51FA4D7B-C3F5-472C-83D2-E57F13AFA310 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15235	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1375358331-1194116085-2145768067-279162643 Account Name: 51FA4D7B-C3F5-472C-83D2-E57F13AFA310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x210D2E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15234	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1375358331-1194116085-2145768067-279162643 Account Name: 51FA4D7B-C3F5-472C-83D2-E57F13AFA310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x210E94 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15233	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1375358331-1194116085-2145768067-279162643 Account Name: 51FA4D7B-C3F5-472C-83D2-E57F13AFA310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x210E94 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15232	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51FA4D7B-C3F5-472C-83D2-E57F13AFA310 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15231	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1375358331-1194116085-2145768067-279162643 Account Name: 51FA4D7B-C3F5-472C-83D2-E57F13AFA310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x210E3B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15230	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1375358331-1194116085-2145768067-279162643 Account Name: 51FA4D7B-C3F5-472C-83D2-E57F13AFA310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x210E3B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15229	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1375358331-1194116085-2145768067-279162643 Account Name: 51FA4D7B-C3F5-472C-83D2-E57F13AFA310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x210E3B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15228	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51FA4D7B-C3F5-472C-83D2-E57F13AFA310 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15227	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1375358331-1194116085-2145768067-279162643 Account Name: 51FA4D7B-C3F5-472C-83D2-E57F13AFA310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x210DE1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15226	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1375358331-1194116085-2145768067-279162643 Account Name: 51FA4D7B-C3F5-472C-83D2-E57F13AFA310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x210DE1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15225	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1375358331-1194116085-2145768067-279162643 Account Name: 51FA4D7B-C3F5-472C-83D2-E57F13AFA310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x210DE1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15224	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51FA4D7B-C3F5-472C-83D2-E57F13AFA310 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15223	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1375358331-1194116085-2145768067-279162643 Account Name: 51FA4D7B-C3F5-472C-83D2-E57F13AFA310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x210D2E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15222	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1375358331-1194116085-2145768067-279162643 Account Name: 51FA4D7B-C3F5-472C-83D2-E57F13AFA310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x210D2E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15221	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 51FA4D7B-C3F5-472C-83D2-E57F13AFA310 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15220	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1FC631 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15219	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2189721357-1328246964-2723402414-288118313 Account Name: 82847F0D-70B4-4F2B-AED2-53A229562C11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x202FB0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15218	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2189721357-1328246964-2723402414-288118313 Account Name: 82847F0D-70B4-4F2B-AED2-53A229562C11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FB3FE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15217	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x1FCF03 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15216	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:35:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1FC93C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15215	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2189721357-1328246964-2723402414-288118313 Account Name: 82847F0D-70B4-4F2B-AED2-53A229562C11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x202FB0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15214	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2189721357-1328246964-2723402414-288118313 Account Name: 82847F0D-70B4-4F2B-AED2-53A229562C11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x202FB0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15213	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 82847F0D-70B4-4F2B-AED2-53A229562C11 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15212	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:57 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1785188376-1183818999-617910403-822379936 Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FF880 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15211	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1785188376-1183818999-617910403-822379936 Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FF880 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15210	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1785188376-1183818999-617910403-822379936 Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FF880 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15209	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15208	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1FED06 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15207	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1FED06 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EF194D98-FBB1-C1A4-2332-A5AD1502B55D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15206	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1FED06 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15205	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2189721357-1328246964-2723402414-288118313 Account Name: 82847F0D-70B4-4F2B-AED2-53A229562C11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FEA0B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15204	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2189721357-1328246964-2723402414-288118313 Account Name: 82847F0D-70B4-4F2B-AED2-53A229562C11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FEA0B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15203	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2189721357-1328246964-2723402414-288118313 Account Name: 82847F0D-70B4-4F2B-AED2-53A229562C11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FEA0B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15202	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 82847F0D-70B4-4F2B-AED2-53A229562C11 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15201	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2189721357-1328246964-2723402414-288118313 Account Name: 82847F0D-70B4-4F2B-AED2-53A229562C11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FE5D9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15200	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2189721357-1328246964-2723402414-288118313 Account Name: 82847F0D-70B4-4F2B-AED2-53A229562C11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FE5D9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15199	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2189721357-1328246964-2723402414-288118313 Account Name: 82847F0D-70B4-4F2B-AED2-53A229562C11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FE5D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15198	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 82847F0D-70B4-4F2B-AED2-53A229562C11 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15197	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1FCF03 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3A9920B1-538E-D2E2-E735-44389FAE6D28} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59719 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15196	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x1FC96A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15195	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1FC96A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8866BF95-E417-3FC7-BA7B-CEEB9E97D4C7} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15194	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1FC93C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EF194D98-FBB1-C1A4-2332-A5AD1502B55D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15193	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1FC93C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15192	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1FC828 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59701 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15191	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1FC828 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15190	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1FC6EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59700 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15189	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1FC6EC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15188	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1FC6D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59700 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15187	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1FC6D7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15186	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1FC6C0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59700 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15185	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1FC6C0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15184	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1FC6AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59723 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15183	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1FC6AB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15182	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1FC67F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15181	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1FC66F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15180	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1FC65A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15179	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1FC67F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59722 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15178	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1FC67F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15177	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1FC66F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59721 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15176	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1FC66F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15175	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1FC65A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59720 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15174	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1FC65A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15173	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1FC631 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59719 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15172	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1FC631 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15171	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1FB3B9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15170	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:52 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2189721357-1328246964-2723402414-288118313 Account Name: 82847F0D-70B4-4F2B-AED2-53A229562C11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FB46A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15169	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:52 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2189721357-1328246964-2723402414-288118313 Account Name: 82847F0D-70B4-4F2B-AED2-53A229562C11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FB46A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15168	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:52 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2189721357-1328246964-2723402414-288118313 Account Name: 82847F0D-70B4-4F2B-AED2-53A229562C11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FB46A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15167	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:52 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 82847F0D-70B4-4F2B-AED2-53A229562C11 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15166	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:52 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2189721357-1328246964-2723402414-288118313 Account Name: 82847F0D-70B4-4F2B-AED2-53A229562C11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FB3FE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15165	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:52 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2189721357-1328246964-2723402414-288118313 Account Name: 82847F0D-70B4-4F2B-AED2-53A229562C11 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FB3FE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15164	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:52 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 82847F0D-70B4-4F2B-AED2-53A229562C11 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15163	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:52 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1FB3B9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {55692D1C-B0DC-F3EB-C139-6AEA4304D8DC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: RestrictedKrbHost/n-h2-805046-2@CBCI-805046-2.LOCAL Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15162	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:52 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1FB3B9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15161	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:52 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2728453774-1198887792-596788889-3557523552 Account Name: A2A0E68E-9370-4775-9946-922360800BD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DFFAE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15160	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2898115628-1127583810-2797095068-3186995861 Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AF25A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15159	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2728453774-1198887792-596788889-3557523552 Account Name: A2A0E68E-9370-4775-9946-922360800BD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E68EB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15158	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2728453774-1198887792-596788889-3557523552 Account Name: A2A0E68E-9370-4775-9946-922360800BD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E68EB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15157	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2728453774-1198887792-596788889-3557523552 Account Name: A2A0E68E-9370-4775-9946-922360800BD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E68EB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15156	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2A0E68E-9370-4775-9946-922360800BD4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15155	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2898115628-1127583810-2797095068-3186995861 Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E580E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15154	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2898115628-1127583810-2797095068-3186995861 Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E580E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15153	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2898115628-1127583810-2797095068-3186995861 Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E580E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15152	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15151	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2728453774-1198887792-596788889-3557523552 Account Name: A2A0E68E-9370-4775-9946-922360800BD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E0E1E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15150	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:42 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2728453774-1198887792-596788889-3557523552 Account Name: A2A0E68E-9370-4775-9946-922360800BD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E0E1E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15149	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:42 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2728453774-1198887792-596788889-3557523552 Account Name: A2A0E68E-9370-4775-9946-922360800BD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E0E1E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15148	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:42 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2A0E68E-9370-4775-9946-922360800BD4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15147	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:42 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2728453774-1198887792-596788889-3557523552 Account Name: A2A0E68E-9370-4775-9946-922360800BD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DFE5D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15146	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:41 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2728453774-1198887792-596788889-3557523552 Account Name: A2A0E68E-9370-4775-9946-922360800BD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DFFAE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15145	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:41 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2728453774-1198887792-596788889-3557523552 Account Name: A2A0E68E-9370-4775-9946-922360800BD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DFFAE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15144	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:41 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2A0E68E-9370-4775-9946-922360800BD4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15143	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:41 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2728453774-1198887792-596788889-3557523552 Account Name: A2A0E68E-9370-4775-9946-922360800BD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DFF55 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15142	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:41 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2728453774-1198887792-596788889-3557523552 Account Name: A2A0E68E-9370-4775-9946-922360800BD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DFF55 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15141	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:41 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2728453774-1198887792-596788889-3557523552 Account Name: A2A0E68E-9370-4775-9946-922360800BD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DFF55 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15140	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:41 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2A0E68E-9370-4775-9946-922360800BD4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15139	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:41 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2728453774-1198887792-596788889-3557523552 Account Name: A2A0E68E-9370-4775-9946-922360800BD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DFF05 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15138	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:41 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2728453774-1198887792-596788889-3557523552 Account Name: A2A0E68E-9370-4775-9946-922360800BD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DFF05 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15137	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:41 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2728453774-1198887792-596788889-3557523552 Account Name: A2A0E68E-9370-4775-9946-922360800BD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DFF05 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15136	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:41 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2A0E68E-9370-4775-9946-922360800BD4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15135	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:41 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2728453774-1198887792-596788889-3557523552 Account Name: A2A0E68E-9370-4775-9946-922360800BD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DFE5D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15134	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:41 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2728453774-1198887792-596788889-3557523552 Account Name: A2A0E68E-9370-4775-9946-922360800BD4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DFE5D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15133	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:41 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A2A0E68E-9370-4775-9946-922360800BD4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15132	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:41 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x127B25 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15131	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2276462123-1332279215-560257947-2961180863 Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x181E57 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15130	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1B587A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15129	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1785188376-1183818999-617910403-822379936 Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D94DA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15128	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:29 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1785188376-1183818999-617910403-822379936 Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D94DA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15127	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:29 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1785188376-1183818999-617910403-822379936 Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D94DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15126	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:29 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15125	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:29 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2898115628-1127583810-2797095068-3186995861 Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D5D81 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15124	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2898115628-1127583810-2797095068-3186995861 Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D5D81 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15123	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2898115628-1127583810-2797095068-3186995861 Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D5D81 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15122	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15121	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2276462123-1332279215-560257947-2961180863 Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D416C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15120	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2276462123-1332279215-560257947-2961180863 Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D416C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15119	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:25 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2276462123-1332279215-560257947-2961180863 Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D416C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15118	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:25 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15117	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:25 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1785188376-1183818999-617910403-822379936 Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D28B1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15116	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:24 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1785188376-1183818999-617910403-822379936 Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D28B1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15115	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:24 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1785188376-1183818999-617910403-822379936 Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D28B1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15114	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:24 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15113	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:24 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1785188376-1183818999-617910403-822379936 Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D123C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15112	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1785188376-1183818999-617910403-822379936 Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D14E1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15111	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1785188376-1183818999-617910403-822379936 Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D14E1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15110	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15109	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1785188376-1183818999-617910403-822379936 Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D13C8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15108	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1785188376-1183818999-617910403-822379936 Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D13C8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15107	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1785188376-1183818999-617910403-822379936 Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D13C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15106	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15105	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1785188376-1183818999-617910403-822379936 Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D1350 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15104	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1785188376-1183818999-617910403-822379936 Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D1350 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15103	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1785188376-1183818999-617910403-822379936 Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D1350 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15102	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15101	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1785188376-1183818999-617910403-822379936 Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D123C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15100	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1785188376-1183818999-617910403-822379936 Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D123C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15099	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A67D018-A4F7-468F-8390-D424A0850431 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15098	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1CD301 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59701 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15097	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CD301 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15096	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1CD2A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59701 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15095	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CD2A4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15094	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1CD247 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59700 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15093	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CD247 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15092	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1CD209 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59700 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15091	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CD209 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15090	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1CD1AC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59700 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15089	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CD1AC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15088	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1CCE15 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59701 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15087	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CCE15 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15086	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1CCD5F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59700 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15085	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CCD5F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15084	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1CCD17 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59700 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15083	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CCD17 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15082	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1CCCFB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59700 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15081	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CCCFB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15080	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1CC913 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59701 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15079	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CC913 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15078	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1CC847 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59700 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15077	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CC847 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15076	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1CC832 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59700 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15075	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CC832 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15074	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1CC81B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59700 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15073	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CC81B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15072	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1CC70C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59701 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15071	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CC70C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15070	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1CC459 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59701 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15069	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CC459 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15068	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1CC311 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59700 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15067	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CC311 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15066	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1CC2FB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59700 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15065	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CC2FB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15064	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1CC1CC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59700 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15063	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CC1CC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15062	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1CC1B5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59700 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15061	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CC1B5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15060	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1CC19E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59700 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15059	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CC19E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15058	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1CC18B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59700 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15057	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1CC18B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15056	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2898115628-1127583810-2797095068-3186995861 Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C33B2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15055	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:03 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2898115628-1127583810-2797095068-3186995861 Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C33B2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15054	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:03 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2898115628-1127583810-2797095068-3186995861 Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C33B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15053	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:03 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15052	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:34:03 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1B587A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59677 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15051	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1B587A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15050	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167D74 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15049	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167CCA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15048	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167C66 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15047	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167C0B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15046	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x16757C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15045	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167567 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15044	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x16753C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15043	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x16728B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15042	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x16725B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15041	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1671F4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15040	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x166F87 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15039	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x166F72 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15038	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x166F5B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15037	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x166A75 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15036	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x166A60 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15035	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x166A49 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15034	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x166987 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15033	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x166972 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15032	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x16695B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15031	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x127D09 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15030	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x127CA7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15029	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x127BE2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15028	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0xEAE1C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15027	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0xEAE07 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15026	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167EBA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15025	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167E32 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15024	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0xEADF0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15023	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0xEADDF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15022	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1675A2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15021	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167321 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15020	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x166FB1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15019	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x166E28 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15018	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x166A8B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15017	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x128497 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15016	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167EF2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15015	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1282EF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15014	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167D8F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15013	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0xEAE53 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15012	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2276462123-1332279215-560257947-2961180863 Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B25F6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15011	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2276462123-1332279215-560257947-2961180863 Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B25F6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15010	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2276462123-1332279215-560257947-2961180863 Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B25F6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15009	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15008	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2898115628-1127583810-2797095068-3186995861 Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B180C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15007	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2898115628-1127583810-2797095068-3186995861 Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B180C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15006	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2898115628-1127583810-2797095068-3186995861 Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B180C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15005	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15004	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:56 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2898115628-1127583810-2797095068-3186995861 Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AF01C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15003	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2898115628-1127583810-2797095068-3186995861 Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AF25A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15002	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2898115628-1127583810-2797095068-3186995861 Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AF25A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15001	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15000	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2898115628-1127583810-2797095068-3186995861 Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AF1C3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14999	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2898115628-1127583810-2797095068-3186995861 Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AF1C3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14998	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2898115628-1127583810-2797095068-3186995861 Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AF1C3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14997	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14996	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2898115628-1127583810-2797095068-3186995861 Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AF133 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14995	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2898115628-1127583810-2797095068-3186995861 Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AF133 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14994	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2898115628-1127583810-2797095068-3186995861 Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AF133 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14993	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14992	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2898115628-1127583810-2797095068-3186995861 Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AF01C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14991	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2898115628-1127583810-2797095068-3186995861 Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AF01C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14990	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ACBDBC2C-9042-4335-9C48-B8A695B2F5BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14989	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3422470189-1286592632-56636800-1544991035 Account Name: CBFEC02D-D878-4CAF-8035-60033BB1165C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x104941 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14988	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1045934954-1283435839-44693946-1746287000 Account Name: 3E57B36A-AD3F-4C7F-BAF9-A90298391668 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x106509 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14987	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2290363541-1281933221-1424465323-2549156889 Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3CFA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14986	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2290363541-1281933221-1424465323-2549156889 Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3CFA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14985	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:49 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2290363541-1281933221-1424465323-2549156889 Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3CFA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14984	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:49 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14983	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:49 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-160394289-1075799727-1680346044-2164778268 Account Name: 098F6C31-66AF-401F-BC0B-28641CE50781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x119B68 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14982	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:47 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2330548096-1155224263-4281349053-1321503659 Account Name: 8AE95780-52C7-44DB-BD33-30FFAB8BC44E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x142570 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14981	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2290363541-1281933221-1424465323-2549156889 Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1935AD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14980	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2290363541-1281933221-1424465323-2549156889 Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1935AD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14979	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2290363541-1281933221-1424465323-2549156889 Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1935AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14978	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14977	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2290363541-1281933221-1424465323-2549156889 Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x192C9B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14976	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2290363541-1281933221-1424465323-2549156889 Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x192C9B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14975	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2290363541-1281933221-1424465323-2549156889 Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x192C9B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14974	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14973	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:40 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2290363541-1281933221-1424465323-2549156889 Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191CA6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14972	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2290363541-1281933221-1424465323-2549156889 Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191E0E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14971	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2290363541-1281933221-1424465323-2549156889 Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191E0E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14970	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14969	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2290363541-1281933221-1424465323-2549156889 Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191DB1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14968	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2290363541-1281933221-1424465323-2549156889 Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191DB1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14967	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2290363541-1281933221-1424465323-2549156889 Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191DB1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14966	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14965	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2290363541-1281933221-1424465323-2549156889 Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191D5F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14964	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2290363541-1281933221-1424465323-2549156889 Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191D5F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14963	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2290363541-1281933221-1424465323-2549156889 Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191D5F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14962	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14961	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2290363541-1281933221-1424465323-2549156889 Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191CA6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14960	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2290363541-1281933221-1424465323-2549156889 Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191CA6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14959	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 88842C95-BFA5-4C68-AB9D-E754190CF197 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14958	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:39 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-209657179-1319637718-458646161-3999591330 Account Name: 0C7F1D5B-12D6-4EA8-9162-561BA2EB64EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16151A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14957	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2276462123-1332279215-560257947-2961180863 Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18C869 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14956	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2276462123-1332279215-560257947-2961180863 Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18C869 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14955	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2276462123-1332279215-560257947-2961180863 Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18C869 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14954	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14953	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3352744966-1281631382-4108336300-2512776342 Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x121101 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14952	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:28 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2276462123-1332279215-560257947-2961180863 Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18346F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14951	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:28 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2276462123-1332279215-560257947-2961180863 Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18346F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14950	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2276462123-1332279215-560257947-2961180863 Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18346F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14949	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14948	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2276462123-1332279215-560257947-2961180863 Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x181C17 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14947	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2276462123-1332279215-560257947-2961180863 Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x181E57 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14946	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2276462123-1332279215-560257947-2961180863 Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x181E57 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14945	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14944	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2276462123-1332279215-560257947-2961180863 Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x181DB8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14943	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2276462123-1332279215-560257947-2961180863 Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x181DB8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14942	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2276462123-1332279215-560257947-2961180863 Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x181DB8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14941	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14940	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2276462123-1332279215-560257947-2961180863 Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x181D2B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14939	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2276462123-1332279215-560257947-2961180863 Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x181D2B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14938	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2276462123-1332279215-560257947-2961180863 Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x181D2B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14937	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14936	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2276462123-1332279215-560257947-2961180863 Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x181C17 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14935	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2276462123-1332279215-560257947-2961180863 Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x181C17 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14934	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 87B00E2B-F7AF-4F68-9BDB-6421BF0880B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14933	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x16AAAE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14932	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167779 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14931	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x169894 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14930	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3352744966-1281631382-4108336300-2512776342 Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17DC32 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14929	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3352744966-1281631382-4108336300-2512776342 Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17DC32 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14928	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3352744966-1281631382-4108336300-2512776342 Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17DC32 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14927	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14926	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:17 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x168698 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14925	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-300871931-1290874793-3761665422-2765860781 Account Name: 11EEF0FB-2FA9-4CF1-8E75-36E0ADAFDBA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x174895 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14924	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-300871931-1290874793-3761665422-2765860781 Account Name: 11EEF0FB-2FA9-4CF1-8E75-36E0ADAFDBA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x174895 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14923	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 11EEF0FB-2FA9-4CF1-8E75-36E0ADAFDBA4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14922	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x170070 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14921	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x170070 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EF194D98-FBB1-C1A4-2332-A5AD1502B55D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14920	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x170070 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14919	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-300871931-1290874793-3761665422-2765860781 Account Name: 11EEF0FB-2FA9-4CF1-8E75-36E0ADAFDBA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16FC54 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14918	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-300871931-1290874793-3761665422-2765860781 Account Name: 11EEF0FB-2FA9-4CF1-8E75-36E0ADAFDBA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16FC54 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14917	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-300871931-1290874793-3761665422-2765860781 Account Name: 11EEF0FB-2FA9-4CF1-8E75-36E0ADAFDBA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16FC54 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14916	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 11EEF0FB-2FA9-4CF1-8E75-36E0ADAFDBA4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14915	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-300871931-1290874793-3761665422-2765860781 Account Name: 11EEF0FB-2FA9-4CF1-8E75-36E0ADAFDBA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16F696 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14914	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-300871931-1290874793-3761665422-2765860781 Account Name: 11EEF0FB-2FA9-4CF1-8E75-36E0ADAFDBA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16F696 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14913	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-300871931-1290874793-3761665422-2765860781 Account Name: 11EEF0FB-2FA9-4CF1-8E75-36E0ADAFDBA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16F696 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14912	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 11EEF0FB-2FA9-4CF1-8E75-36E0ADAFDBA4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14911	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x16B1EB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14910	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:07 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x16B1FB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14909	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:07 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x16B20C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14908	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:07 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x16B20C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {12074C30-9193-00D4-2B37-C7BA2268E389} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59640 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14907	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:07 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x16B1FB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {12074C30-9193-00D4-2B37-C7BA2268E389} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59641 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14906	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:07 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x16B1EB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {12074C30-9193-00D4-2B37-C7BA2268E389} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59639 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14905	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:07 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x16AAAE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {12074C30-9193-00D4-2B37-C7BA2268E389} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59638 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14904	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:07 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x169894 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3A9920B1-538E-D2E2-E735-44389FAE6D28} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59638 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14903	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x168CC4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14902	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x168CC4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8866BF95-E417-3FC7-BA7B-CEEB9E97D4C7} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14901	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-300871931-1290874793-3761665422-2765860781 Account Name: 11EEF0FB-2FA9-4CF1-8E75-36E0ADAFDBA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x168887 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14900	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-300871931-1290874793-3761665422-2765860781 Account Name: 11EEF0FB-2FA9-4CF1-8E75-36E0ADAFDBA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x168887 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14899	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-300871931-1290874793-3761665422-2765860781 Account Name: 11EEF0FB-2FA9-4CF1-8E75-36E0ADAFDBA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x168887 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14898	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 11EEF0FB-2FA9-4CF1-8E75-36E0ADAFDBA4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14897	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-300871931-1290874793-3761665422-2765860781 Account Name: 11EEF0FB-2FA9-4CF1-8E75-36E0ADAFDBA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1686BF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14896	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-300871931-1290874793-3761665422-2765860781 Account Name: 11EEF0FB-2FA9-4CF1-8E75-36E0ADAFDBA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1686BF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14895	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 11EEF0FB-2FA9-4CF1-8E75-36E0ADAFDBA4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14894	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-209657179-1319637718-458646161-3999591330 Account Name: 0C7F1D5B-12D6-4EA8-9162-561BA2EB64EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x168683 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14893	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-209657179-1319637718-458646161-3999591330 Account Name: 0C7F1D5B-12D6-4EA8-9162-561BA2EB64EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x168683 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14892	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-209657179-1319637718-458646161-3999591330 Account Name: 0C7F1D5B-12D6-4EA8-9162-561BA2EB64EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x168683 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14891	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0C7F1D5B-12D6-4EA8-9162-561BA2EB64EE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14890	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x168698 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EF194D98-FBB1-C1A4-2332-A5AD1502B55D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14889	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x168698 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14888	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x167EF2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EF194D98-FBB1-C1A4-2332-A5AD1502B55D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59642 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14887	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167EF2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14886	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x167EBA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59580 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14885	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167EBA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14884	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x167E32 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59580 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14883	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167E32 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14882	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x167D8F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59642 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14881	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x167D74 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14880	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167D8F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14879	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167D74 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14878	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x167CCA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14877	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167CCA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14876	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x167C66 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14875	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167BA0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14874	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167B7F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14873	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167C66 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14872	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x167C0B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14871	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167C0B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14870	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167B8B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14869	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x167BA0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59641 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14868	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167BA0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14867	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x167B8B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59640 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14866	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167B8B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14865	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x167B7F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59639 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14864	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167B7F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14863	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x167779 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59638 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14862	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167779 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14861	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1675A2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59580 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14860	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1675A2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14859	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x16757C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14858	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x16757C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14857	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x167567 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14856	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167567 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14855	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x16753C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14854	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x16753C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14853	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x167321 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59580 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14852	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x167321 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14851	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x16728B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14850	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x16728B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14849	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x16725B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14848	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x16725B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14847	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1671F4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14846	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1671F4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14845	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x166FB1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59580 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14844	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x166FB1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14843	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x166F87 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14842	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x166F87 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14841	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x166F72 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14840	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x166F72 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14839	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x166F5B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14838	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x166F5B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14837	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x166E28 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59580 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14836	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x166E28 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14835	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x15D208 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14834	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x166A8B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59580 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14833	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x166A8B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14832	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x166A75 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14831	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x166A75 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14830	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x166A60 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14829	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x166A60 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14828	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x166A49 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EF194D98-FBB1-C1A4-2332-A5AD1502B55D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14827	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x166A49 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14826	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x166987 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14825	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x166987 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14824	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x166972 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14823	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x166972 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14822	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x16695B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EF194D98-FBB1-C1A4-2332-A5AD1502B55D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14821	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x16695B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14820	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:33:05 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-209657179-1319637718-458646161-3999591330 Account Name: 0C7F1D5B-12D6-4EA8-9162-561BA2EB64EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16270C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14819	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-209657179-1319637718-458646161-3999591330 Account Name: 0C7F1D5B-12D6-4EA8-9162-561BA2EB64EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16270C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14818	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-209657179-1319637718-458646161-3999591330 Account Name: 0C7F1D5B-12D6-4EA8-9162-561BA2EB64EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16270C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14817	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0C7F1D5B-12D6-4EA8-9162-561BA2EB64EE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14816	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-209657179-1319637718-458646161-3999591330 Account Name: 0C7F1D5B-12D6-4EA8-9162-561BA2EB64EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x161286 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14815	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:58 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-209657179-1319637718-458646161-3999591330 Account Name: 0C7F1D5B-12D6-4EA8-9162-561BA2EB64EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16151A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14814	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-209657179-1319637718-458646161-3999591330 Account Name: 0C7F1D5B-12D6-4EA8-9162-561BA2EB64EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16151A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14813	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0C7F1D5B-12D6-4EA8-9162-561BA2EB64EE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14812	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-209657179-1319637718-458646161-3999591330 Account Name: 0C7F1D5B-12D6-4EA8-9162-561BA2EB64EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x161413 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14811	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:58 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-209657179-1319637718-458646161-3999591330 Account Name: 0C7F1D5B-12D6-4EA8-9162-561BA2EB64EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x161413 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14810	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-209657179-1319637718-458646161-3999591330 Account Name: 0C7F1D5B-12D6-4EA8-9162-561BA2EB64EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x161413 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14809	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0C7F1D5B-12D6-4EA8-9162-561BA2EB64EE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14808	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-209657179-1319637718-458646161-3999591330 Account Name: 0C7F1D5B-12D6-4EA8-9162-561BA2EB64EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16137E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14807	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:58 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-209657179-1319637718-458646161-3999591330 Account Name: 0C7F1D5B-12D6-4EA8-9162-561BA2EB64EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16137E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14806	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-209657179-1319637718-458646161-3999591330 Account Name: 0C7F1D5B-12D6-4EA8-9162-561BA2EB64EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16137E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14805	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0C7F1D5B-12D6-4EA8-9162-561BA2EB64EE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14804	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-209657179-1319637718-458646161-3999591330 Account Name: 0C7F1D5B-12D6-4EA8-9162-561BA2EB64EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x161286 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14803	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-209657179-1319637718-458646161-3999591330 Account Name: 0C7F1D5B-12D6-4EA8-9162-561BA2EB64EE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x161286 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14802	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0C7F1D5B-12D6-4EA8-9162-561BA2EB64EE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14801	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:58 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x15D208 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59625 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14800	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:49 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x15D208 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14799	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:49 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2330548096-1155224263-4281349053-1321503659 Account Name: 8AE95780-52C7-44DB-BD33-30FFAB8BC44E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15909B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14798	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:44 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2330548096-1155224263-4281349053-1321503659 Account Name: 8AE95780-52C7-44DB-BD33-30FFAB8BC44E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15909B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14797	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2330548096-1155224263-4281349053-1321503659 Account Name: 8AE95780-52C7-44DB-BD33-30FFAB8BC44E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15909B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14796	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8AE95780-52C7-44DB-BD33-30FFAB8BC44E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14795	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3352744966-1281631382-4108336300-2512776342 Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x158AC4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14794	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:44 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3352744966-1281631382-4108336300-2512776342 Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x158AC4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14793	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3352744966-1281631382-4108336300-2512776342 Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x158AC4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14792	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14791	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x12B1D5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14790	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x126B8D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14789	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3198886957-1103594468-1876591254-520072291 Account Name: BEAB242D-83E4-41C7-9682-DA6F63ACFF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x124ACF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14788	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x12A6A3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14787	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2330548096-1155224263-4281349053-1321503659 Account Name: 8AE95780-52C7-44DB-BD33-30FFAB8BC44E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x143461 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14786	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2330548096-1155224263-4281349053-1321503659 Account Name: 8AE95780-52C7-44DB-BD33-30FFAB8BC44E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x143461 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14785	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2330548096-1155224263-4281349053-1321503659 Account Name: 8AE95780-52C7-44DB-BD33-30FFAB8BC44E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x143461 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14784	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8AE95780-52C7-44DB-BD33-30FFAB8BC44E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14783	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2330548096-1155224263-4281349053-1321503659 Account Name: 8AE95780-52C7-44DB-BD33-30FFAB8BC44E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1423A2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14782	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2330548096-1155224263-4281349053-1321503659 Account Name: 8AE95780-52C7-44DB-BD33-30FFAB8BC44E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x142570 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14781	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2330548096-1155224263-4281349053-1321503659 Account Name: 8AE95780-52C7-44DB-BD33-30FFAB8BC44E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x142570 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14780	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8AE95780-52C7-44DB-BD33-30FFAB8BC44E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14779	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2330548096-1155224263-4281349053-1321503659 Account Name: 8AE95780-52C7-44DB-BD33-30FFAB8BC44E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x142497 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14778	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2330548096-1155224263-4281349053-1321503659 Account Name: 8AE95780-52C7-44DB-BD33-30FFAB8BC44E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x142497 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14777	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2330548096-1155224263-4281349053-1321503659 Account Name: 8AE95780-52C7-44DB-BD33-30FFAB8BC44E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x142497 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14776	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8AE95780-52C7-44DB-BD33-30FFAB8BC44E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14775	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2330548096-1155224263-4281349053-1321503659 Account Name: 8AE95780-52C7-44DB-BD33-30FFAB8BC44E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14244E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14774	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2330548096-1155224263-4281349053-1321503659 Account Name: 8AE95780-52C7-44DB-BD33-30FFAB8BC44E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14244E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14773	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2330548096-1155224263-4281349053-1321503659 Account Name: 8AE95780-52C7-44DB-BD33-30FFAB8BC44E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14244E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14772	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8AE95780-52C7-44DB-BD33-30FFAB8BC44E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14771	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2330548096-1155224263-4281349053-1321503659 Account Name: 8AE95780-52C7-44DB-BD33-30FFAB8BC44E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1423A2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14770	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2330548096-1155224263-4281349053-1321503659 Account Name: 8AE95780-52C7-44DB-BD33-30FFAB8BC44E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1423A2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14769	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8AE95780-52C7-44DB-BD33-30FFAB8BC44E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14768	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:35 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3198886957-1103594468-1876591254-520072291 Account Name: BEAB242D-83E4-41C7-9682-DA6F63ACFF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13F345 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14767	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3198886957-1103594468-1876591254-520072291 Account Name: BEAB242D-83E4-41C7-9682-DA6F63ACFF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13F345 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14766	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3198886957-1103594468-1876591254-520072291 Account Name: BEAB242D-83E4-41C7-9682-DA6F63ACFF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13F345 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14765	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BEAB242D-83E4-41C7-9682-DA6F63ACFF1E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14764	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x12972E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14763	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:28 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3135519331-1261210236-2137999023-612399123 Account Name: BAE43A63-8A7C-4B2C-AF46-6F7F13788024 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13CD97 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14762	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3135519331-1261210236-2137999023-612399123 Account Name: BAE43A63-8A7C-4B2C-AF46-6F7F13788024 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13CD97 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14761	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BAE43A63-8A7C-4B2C-AF46-6F7F13788024 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14760	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4113776600-1301661976-455718068-1870949177 Account Name: F5333FD8-C918-4D95-B4B4-291B396B846F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11D20A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14759	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:28 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3352744966-1281631382-4108336300-2512776342 Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x137235 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14758	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3352744966-1281631382-4108336300-2512776342 Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x137235 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14757	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3352744966-1281631382-4108336300-2512776342 Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x137235 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14756	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14755	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x131AB8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14754	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:24 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x131AB8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EF194D98-FBB1-C1A4-2332-A5AD1502B55D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14753	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:24 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x131AB8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14752	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:24 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3135519331-1261210236-2137999023-612399123 Account Name: BAE43A63-8A7C-4B2C-AF46-6F7F13788024 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1316B6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14751	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:24 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3135519331-1261210236-2137999023-612399123 Account Name: BAE43A63-8A7C-4B2C-AF46-6F7F13788024 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1316B6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14750	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:24 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3135519331-1261210236-2137999023-612399123 Account Name: BAE43A63-8A7C-4B2C-AF46-6F7F13788024 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1316B6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14749	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:24 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BAE43A63-8A7C-4B2C-AF46-6F7F13788024 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14748	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:24 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3135519331-1261210236-2137999023-612399123 Account Name: BAE43A63-8A7C-4B2C-AF46-6F7F13788024 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x131466 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14747	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:24 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3135519331-1261210236-2137999023-612399123 Account Name: BAE43A63-8A7C-4B2C-AF46-6F7F13788024 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x131466 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14746	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:24 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3135519331-1261210236-2137999023-612399123 Account Name: BAE43A63-8A7C-4B2C-AF46-6F7F13788024 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x131466 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14745	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:24 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BAE43A63-8A7C-4B2C-AF46-6F7F13788024 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14744	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:24 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4113776600-1301661976-455718068-1870949177 Account Name: F5333FD8-C918-4D95-B4B4-291B396B846F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12EF31 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14743	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4113776600-1301661976-455718068-1870949177 Account Name: F5333FD8-C918-4D95-B4B4-291B396B846F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12EF31 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14742	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4113776600-1301661976-455718068-1870949177 Account Name: F5333FD8-C918-4D95-B4B4-291B396B846F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12EF31 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14741	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F5333FD8-C918-4D95-B4B4-291B396B846F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14740	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x12B2B3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14739	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x12B2A3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14738	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x12B2C3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14737	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x12B2C3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C67EDC9C-A295-05FA-D0F3-A9503A09D772} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59605 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14736	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x12B2B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C67EDC9C-A295-05FA-D0F3-A9503A09D772} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59604 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14735	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x12B2A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C67EDC9C-A295-05FA-D0F3-A9503A09D772} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59603 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14734	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x12B1D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C67EDC9C-A295-05FA-D0F3-A9503A09D772} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59602 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14733	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x12A6A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3A9920B1-538E-D2E2-E735-44389FAE6D28} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59602 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14732	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x129FE2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14731	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x129FE2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8866BF95-E417-3FC7-BA7B-CEEB9E97D4C7} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14730	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3135519331-1261210236-2137999023-612399123 Account Name: BAE43A63-8A7C-4B2C-AF46-6F7F13788024 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x129DFE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14729	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3135519331-1261210236-2137999023-612399123 Account Name: BAE43A63-8A7C-4B2C-AF46-6F7F13788024 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x129DFE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14728	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3135519331-1261210236-2137999023-612399123 Account Name: BAE43A63-8A7C-4B2C-AF46-6F7F13788024 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x129DFE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14727	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BAE43A63-8A7C-4B2C-AF46-6F7F13788024 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14726	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3135519331-1261210236-2137999023-612399123 Account Name: BAE43A63-8A7C-4B2C-AF46-6F7F13788024 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x129848 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14725	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3135519331-1261210236-2137999023-612399123 Account Name: BAE43A63-8A7C-4B2C-AF46-6F7F13788024 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x129848 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14724	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BAE43A63-8A7C-4B2C-AF46-6F7F13788024 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14723	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x12972E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EF194D98-FBB1-C1A4-2332-A5AD1502B55D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14722	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x12972E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14721	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x128497 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EF194D98-FBB1-C1A4-2332-A5AD1502B55D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59580 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14720	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x128497 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14719	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1282EF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59580 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14718	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1282EF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14717	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x127D09 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14716	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x127D09 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14715	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x127CA7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14714	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x127CA7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14713	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x127BE2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EF194D98-FBB1-C1A4-2332-A5AD1502B55D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14712	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x127BE2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14711	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x127B25 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EF194D98-FBB1-C1A4-2332-A5AD1502B55D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59606 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14710	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x127B25 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14709	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1274CA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14708	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3198886957-1103594468-1876591254-520072291 Account Name: BEAB242D-83E4-41C7-9682-DA6F63ACFF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x127455 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14707	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3198886957-1103594468-1876591254-520072291 Account Name: BEAB242D-83E4-41C7-9682-DA6F63ACFF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x127455 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14706	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3198886957-1103594468-1876591254-520072291 Account Name: BEAB242D-83E4-41C7-9682-DA6F63ACFF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x127455 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14705	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BEAB242D-83E4-41C7-9682-DA6F63ACFF1E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14704	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x127486 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14703	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1274CA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59605 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14702	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1274CA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14701	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-160394289-1075799727-1680346044-2164778268 Account Name: 098F6C31-66AF-401F-BC0B-28641CE50781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12727B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14700	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-160394289-1075799727-1680346044-2164778268 Account Name: 098F6C31-66AF-401F-BC0B-28641CE50781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12727B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14699	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-160394289-1075799727-1680346044-2164778268 Account Name: 098F6C31-66AF-401F-BC0B-28641CE50781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12727B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14698	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 098F6C31-66AF-401F-BC0B-28641CE50781 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14697	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x127472 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14696	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x127486 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59604 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14695	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x127486 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14694	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x127472 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59603 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14693	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x127472 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14692	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x126B8D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59602 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14691	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x126B8D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14690	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3198886957-1103594468-1876591254-520072291 Account Name: BEAB242D-83E4-41C7-9682-DA6F63ACFF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1243FC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14689	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:21 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3198886957-1103594468-1876591254-520072291 Account Name: BEAB242D-83E4-41C7-9682-DA6F63ACFF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x124ACF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14688	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3198886957-1103594468-1876591254-520072291 Account Name: BEAB242D-83E4-41C7-9682-DA6F63ACFF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x124ACF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14687	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BEAB242D-83E4-41C7-9682-DA6F63ACFF1E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14686	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3198886957-1103594468-1876591254-520072291 Account Name: BEAB242D-83E4-41C7-9682-DA6F63ACFF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1248FF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14685	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:21 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3198886957-1103594468-1876591254-520072291 Account Name: BEAB242D-83E4-41C7-9682-DA6F63ACFF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1248FF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14684	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3198886957-1103594468-1876591254-520072291 Account Name: BEAB242D-83E4-41C7-9682-DA6F63ACFF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1248FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14683	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BEAB242D-83E4-41C7-9682-DA6F63ACFF1E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14682	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3198886957-1103594468-1876591254-520072291 Account Name: BEAB242D-83E4-41C7-9682-DA6F63ACFF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x124700 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14681	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:21 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3198886957-1103594468-1876591254-520072291 Account Name: BEAB242D-83E4-41C7-9682-DA6F63ACFF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x124700 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14680	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3198886957-1103594468-1876591254-520072291 Account Name: BEAB242D-83E4-41C7-9682-DA6F63ACFF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x124700 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14679	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BEAB242D-83E4-41C7-9682-DA6F63ACFF1E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14678	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3198886957-1103594468-1876591254-520072291 Account Name: BEAB242D-83E4-41C7-9682-DA6F63ACFF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1243FC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14677	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3198886957-1103594468-1876591254-520072291 Account Name: BEAB242D-83E4-41C7-9682-DA6F63ACFF1E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1243FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14676	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BEAB242D-83E4-41C7-9682-DA6F63ACFF1E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14675	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3352744966-1281631382-4108336300-2512776342 Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x121EDB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14674	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3352744966-1281631382-4108336300-2512776342 Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x121EDB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14673	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3352744966-1281631382-4108336300-2512776342 Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x121EDB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14672	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14671	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3352744966-1281631382-4108336300-2512776342 Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x120F9E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14670	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3352744966-1281631382-4108336300-2512776342 Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x121101 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14669	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3352744966-1281631382-4108336300-2512776342 Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x121101 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14668	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14667	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3352744966-1281631382-4108336300-2512776342 Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x121098 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14666	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3352744966-1281631382-4108336300-2512776342 Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x121098 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14665	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3352744966-1281631382-4108336300-2512776342 Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x121098 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14664	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14663	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3352744966-1281631382-4108336300-2512776342 Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12104B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14662	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3352744966-1281631382-4108336300-2512776342 Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12104B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14661	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3352744966-1281631382-4108336300-2512776342 Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12104B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14660	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14659	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3352744966-1281631382-4108336300-2512776342 Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x120F9E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14658	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3352744966-1281631382-4108336300-2512776342 Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x120F9E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14657	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C7D6D406-2496-4C64-AC3C-E0F496ECC595 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14656	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:18 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1138DF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14655	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1282232323-1135593884-3449613221-1271128428 Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x102C06 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14654	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4113776600-1301661976-455718068-1870949177 Account Name: F5333FD8-C918-4D95-B4B4-291B396B846F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11E8D8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14653	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4113776600-1301661976-455718068-1870949177 Account Name: F5333FD8-C918-4D95-B4B4-291B396B846F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11E8D8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14652	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4113776600-1301661976-455718068-1870949177 Account Name: F5333FD8-C918-4D95-B4B4-291B396B846F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11E8D8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14651	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F5333FD8-C918-4D95-B4B4-291B396B846F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14650	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4113776600-1301661976-455718068-1870949177 Account Name: F5333FD8-C918-4D95-B4B4-291B396B846F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11CC90 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14649	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4113776600-1301661976-455718068-1870949177 Account Name: F5333FD8-C918-4D95-B4B4-291B396B846F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11D20A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14648	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4113776600-1301661976-455718068-1870949177 Account Name: F5333FD8-C918-4D95-B4B4-291B396B846F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11D20A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14647	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F5333FD8-C918-4D95-B4B4-291B396B846F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14646	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4113776600-1301661976-455718068-1870949177 Account Name: F5333FD8-C918-4D95-B4B4-291B396B846F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11CFA5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14645	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4113776600-1301661976-455718068-1870949177 Account Name: F5333FD8-C918-4D95-B4B4-291B396B846F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11CFA5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14644	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4113776600-1301661976-455718068-1870949177 Account Name: F5333FD8-C918-4D95-B4B4-291B396B846F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11CFA5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14643	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F5333FD8-C918-4D95-B4B4-291B396B846F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14642	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4113776600-1301661976-455718068-1870949177 Account Name: F5333FD8-C918-4D95-B4B4-291B396B846F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11CD50 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14641	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4113776600-1301661976-455718068-1870949177 Account Name: F5333FD8-C918-4D95-B4B4-291B396B846F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11CD50 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14640	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4113776600-1301661976-455718068-1870949177 Account Name: F5333FD8-C918-4D95-B4B4-291B396B846F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11CD50 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14639	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F5333FD8-C918-4D95-B4B4-291B396B846F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14638	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4113776600-1301661976-455718068-1870949177 Account Name: F5333FD8-C918-4D95-B4B4-291B396B846F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11CC90 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14637	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4113776600-1301661976-455718068-1870949177 Account Name: F5333FD8-C918-4D95-B4B4-291B396B846F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11CC90 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14636	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F5333FD8-C918-4D95-B4B4-291B396B846F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14635	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-160394289-1075799727-1680346044-2164778268 Account Name: 098F6C31-66AF-401F-BC0B-28641CE50781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11A8E9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14634	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-160394289-1075799727-1680346044-2164778268 Account Name: 098F6C31-66AF-401F-BC0B-28641CE50781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11A8E9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14633	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-160394289-1075799727-1680346044-2164778268 Account Name: 098F6C31-66AF-401F-BC0B-28641CE50781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11A8E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14632	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 098F6C31-66AF-401F-BC0B-28641CE50781 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14631	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-160394289-1075799727-1680346044-2164778268 Account Name: 098F6C31-66AF-401F-BC0B-28641CE50781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1199A3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14630	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-160394289-1075799727-1680346044-2164778268 Account Name: 098F6C31-66AF-401F-BC0B-28641CE50781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x119B68 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14629	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-160394289-1075799727-1680346044-2164778268 Account Name: 098F6C31-66AF-401F-BC0B-28641CE50781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x119B68 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14628	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 098F6C31-66AF-401F-BC0B-28641CE50781 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14627	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-160394289-1075799727-1680346044-2164778268 Account Name: 098F6C31-66AF-401F-BC0B-28641CE50781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x119B0F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14626	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-160394289-1075799727-1680346044-2164778268 Account Name: 098F6C31-66AF-401F-BC0B-28641CE50781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x119B0F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14625	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-160394289-1075799727-1680346044-2164778268 Account Name: 098F6C31-66AF-401F-BC0B-28641CE50781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x119B0F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14624	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 098F6C31-66AF-401F-BC0B-28641CE50781 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14623	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-160394289-1075799727-1680346044-2164778268 Account Name: 098F6C31-66AF-401F-BC0B-28641CE50781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x119A4E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14622	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-160394289-1075799727-1680346044-2164778268 Account Name: 098F6C31-66AF-401F-BC0B-28641CE50781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x119A4E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14621	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-160394289-1075799727-1680346044-2164778268 Account Name: 098F6C31-66AF-401F-BC0B-28641CE50781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x119A4E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14620	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 098F6C31-66AF-401F-BC0B-28641CE50781 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14619	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-160394289-1075799727-1680346044-2164778268 Account Name: 098F6C31-66AF-401F-BC0B-28641CE50781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1199A3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14618	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-160394289-1075799727-1680346044-2164778268 Account Name: 098F6C31-66AF-401F-BC0B-28641CE50781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1199A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14617	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 098F6C31-66AF-401F-BC0B-28641CE50781 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14616	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:11 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1282232323-1135593884-3449613221-1271128428 Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x116D95 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14615	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1282232323-1135593884-3449613221-1271128428 Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x116D95 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14614	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:04 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1282232323-1135593884-3449613221-1271128428 Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x116D95 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14613	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:04 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14612	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:32:04 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1138DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59595 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14611	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0x1138DF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14610	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1045934954-1283435839-44693946-1746287000 Account Name: 3E57B36A-AD3F-4C7F-BAF9-A90298391668 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11223A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14609	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1045934954-1283435839-44693946-1746287000 Account Name: 3E57B36A-AD3F-4C7F-BAF9-A90298391668 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11223A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14608	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1045934954-1283435839-44693946-1746287000 Account Name: 3E57B36A-AD3F-4C7F-BAF9-A90298391668 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11223A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14607	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3E57B36A-AD3F-4C7F-BAF9-A90298391668 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14606	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:54 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3422470189-1286592632-56636800-1544991035 Account Name: CBFEC02D-D878-4CAF-8035-60033BB1165C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10F56C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14605	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:52 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3422470189-1286592632-56636800-1544991035 Account Name: CBFEC02D-D878-4CAF-8035-60033BB1165C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10F56C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14604	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:52 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3422470189-1286592632-56636800-1544991035 Account Name: CBFEC02D-D878-4CAF-8035-60033BB1165C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10F56C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14603	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:52 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CBFEC02D-D878-4CAF-8035-60033BB1165C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14602	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:52 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1282232323-1135593884-3449613221-1271128428 Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10B984 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14601	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1282232323-1135593884-3449613221-1271128428 Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10B984 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14600	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1282232323-1135593884-3449613221-1271128428 Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10B984 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14599	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14598	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:50 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1045934954-1283435839-44693946-1746287000 Account Name: 3E57B36A-AD3F-4C7F-BAF9-A90298391668 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x107906 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14597	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:47 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1045934954-1283435839-44693946-1746287000 Account Name: 3E57B36A-AD3F-4C7F-BAF9-A90298391668 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x107906 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14596	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:47 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1045934954-1283435839-44693946-1746287000 Account Name: 3E57B36A-AD3F-4C7F-BAF9-A90298391668 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x107906 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14595	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:47 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3E57B36A-AD3F-4C7F-BAF9-A90298391668 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14594	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:47 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1045934954-1283435839-44693946-1746287000 Account Name: 3E57B36A-AD3F-4C7F-BAF9-A90298391668 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1063AF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14593	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1045934954-1283435839-44693946-1746287000 Account Name: 3E57B36A-AD3F-4C7F-BAF9-A90298391668 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x106509 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14592	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1045934954-1283435839-44693946-1746287000 Account Name: 3E57B36A-AD3F-4C7F-BAF9-A90298391668 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x106509 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14591	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3E57B36A-AD3F-4C7F-BAF9-A90298391668 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14590	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1045934954-1283435839-44693946-1746287000 Account Name: 3E57B36A-AD3F-4C7F-BAF9-A90298391668 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10649D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14589	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1045934954-1283435839-44693946-1746287000 Account Name: 3E57B36A-AD3F-4C7F-BAF9-A90298391668 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10649D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14588	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1045934954-1283435839-44693946-1746287000 Account Name: 3E57B36A-AD3F-4C7F-BAF9-A90298391668 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10649D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14587	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3E57B36A-AD3F-4C7F-BAF9-A90298391668 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14586	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1045934954-1283435839-44693946-1746287000 Account Name: 3E57B36A-AD3F-4C7F-BAF9-A90298391668 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x106454 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14585	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1045934954-1283435839-44693946-1746287000 Account Name: 3E57B36A-AD3F-4C7F-BAF9-A90298391668 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x106454 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14584	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1045934954-1283435839-44693946-1746287000 Account Name: 3E57B36A-AD3F-4C7F-BAF9-A90298391668 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x106454 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14583	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3E57B36A-AD3F-4C7F-BAF9-A90298391668 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14582	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1045934954-1283435839-44693946-1746287000 Account Name: 3E57B36A-AD3F-4C7F-BAF9-A90298391668 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1063AF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14581	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1045934954-1283435839-44693946-1746287000 Account Name: 3E57B36A-AD3F-4C7F-BAF9-A90298391668 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1063AF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14580	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3E57B36A-AD3F-4C7F-BAF9-A90298391668 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14579	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3422470189-1286592632-56636800-1544991035 Account Name: CBFEC02D-D878-4CAF-8035-60033BB1165C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x105688 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14578	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3422470189-1286592632-56636800-1544991035 Account Name: CBFEC02D-D878-4CAF-8035-60033BB1165C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x105688 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14577	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3422470189-1286592632-56636800-1544991035 Account Name: CBFEC02D-D878-4CAF-8035-60033BB1165C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x105688 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14576	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CBFEC02D-D878-4CAF-8035-60033BB1165C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14575	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3422470189-1286592632-56636800-1544991035 Account Name: CBFEC02D-D878-4CAF-8035-60033BB1165C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1047F2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14574	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3422470189-1286592632-56636800-1544991035 Account Name: CBFEC02D-D878-4CAF-8035-60033BB1165C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x104941 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14573	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3422470189-1286592632-56636800-1544991035 Account Name: CBFEC02D-D878-4CAF-8035-60033BB1165C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x104941 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14572	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CBFEC02D-D878-4CAF-8035-60033BB1165C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14571	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3422470189-1286592632-56636800-1544991035 Account Name: CBFEC02D-D878-4CAF-8035-60033BB1165C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1048E8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14570	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3422470189-1286592632-56636800-1544991035 Account Name: CBFEC02D-D878-4CAF-8035-60033BB1165C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1048E8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14569	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3422470189-1286592632-56636800-1544991035 Account Name: CBFEC02D-D878-4CAF-8035-60033BB1165C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1048E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14568	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CBFEC02D-D878-4CAF-8035-60033BB1165C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14567	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3422470189-1286592632-56636800-1544991035 Account Name: CBFEC02D-D878-4CAF-8035-60033BB1165C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10489F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14566	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3422470189-1286592632-56636800-1544991035 Account Name: CBFEC02D-D878-4CAF-8035-60033BB1165C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10489F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14565	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3422470189-1286592632-56636800-1544991035 Account Name: CBFEC02D-D878-4CAF-8035-60033BB1165C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10489F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14564	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CBFEC02D-D878-4CAF-8035-60033BB1165C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14563	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3422470189-1286592632-56636800-1544991035 Account Name: CBFEC02D-D878-4CAF-8035-60033BB1165C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1047F2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14562	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3422470189-1286592632-56636800-1544991035 Account Name: CBFEC02D-D878-4CAF-8035-60033BB1165C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1047F2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14561	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CBFEC02D-D878-4CAF-8035-60033BB1165C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14560	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1282232323-1135593884-3449613221-1271128428 Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1038ED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14559	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:44 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1282232323-1135593884-3449613221-1271128428 Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1038ED Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14558	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1282232323-1135593884-3449613221-1271128428 Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1038ED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14557	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14556	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:44 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1282232323-1135593884-3449613221-1271128428 Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x102AB8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14555	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1282232323-1135593884-3449613221-1271128428 Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x102C06 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14554	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1282232323-1135593884-3449613221-1271128428 Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x102C06 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14553	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14552	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1282232323-1135593884-3449613221-1271128428 Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x102BAD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14551	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1282232323-1135593884-3449613221-1271128428 Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x102BAD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14550	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1282232323-1135593884-3449613221-1271128428 Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x102BAD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14549	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14548	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1282232323-1135593884-3449613221-1271128428 Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x102B64 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14547	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1282232323-1135593884-3449613221-1271128428 Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x102B64 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14546	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1282232323-1135593884-3449613221-1271128428 Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x102B64 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14545	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14544	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1282232323-1135593884-3449613221-1271128428 Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x102AB8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14543	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1282232323-1135593884-3449613221-1271128428 Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x102AB8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14542	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4C6D5003-C99C-43AF-A5EB-9CCD6CE1C34B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14541	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:43 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0xEEE1A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14540	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:42 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0xED4F7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14539	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:42 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0xEABE8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14538	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:42 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0xEAC58 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14537	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4217821355-1222544601-346724481-1518836268 Account Name: FB66D8AB-8CD9-48DE-8198-AA142C9A875A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE9038 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14536	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:34 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0xEB63E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14535	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-753316273-1299558169-1605783702-302628130 Account Name: 2CE6B1B1-AF19-4D75-9650-B65F22BD0912 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF9059 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14534	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-753316273-1299558169-1605783702-302628130 Account Name: 2CE6B1B1-AF19-4D75-9650-B65F22BD0912 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF9059 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14533	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2CE6B1B1-AF19-4D75-9650-B65F22BD0912 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14532	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:31 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4217821355-1222544601-346724481-1518836268 Account Name: FB66D8AB-8CD9-48DE-8198-AA142C9A875A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF7808 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14531	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4217821355-1222544601-346724481-1518836268 Account Name: FB66D8AB-8CD9-48DE-8198-AA142C9A875A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF7808 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14530	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4217821355-1222544601-346724481-1518836268 Account Name: FB66D8AB-8CD9-48DE-8198-AA142C9A875A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF7808 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14529	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FB66D8AB-8CD9-48DE-8198-AA142C9A875A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14528	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:30 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0xF3602 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14527	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:28 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0xF3602 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EF194D98-FBB1-C1A4-2332-A5AD1502B55D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14526	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0xF3602 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14525	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-753316273-1299558169-1605783702-302628130 Account Name: 2CE6B1B1-AF19-4D75-9650-B65F22BD0912 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF34B8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14524	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:28 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-753316273-1299558169-1605783702-302628130 Account Name: 2CE6B1B1-AF19-4D75-9650-B65F22BD0912 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF34B8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14523	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-753316273-1299558169-1605783702-302628130 Account Name: 2CE6B1B1-AF19-4D75-9650-B65F22BD0912 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF34B8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14522	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2CE6B1B1-AF19-4D75-9650-B65F22BD0912 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14521	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-753316273-1299558169-1605783702-302628130 Account Name: 2CE6B1B1-AF19-4D75-9650-B65F22BD0912 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF33F5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14520	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:28 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-753316273-1299558169-1605783702-302628130 Account Name: 2CE6B1B1-AF19-4D75-9650-B65F22BD0912 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF33F5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14519	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-753316273-1299558169-1605783702-302628130 Account Name: 2CE6B1B1-AF19-4D75-9650-B65F22BD0912 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF33F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14518	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2CE6B1B1-AF19-4D75-9650-B65F22BD0912 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14517	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:28 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3011010347-1133032321-100598419-3743906505 Account Name: B3785F2B-B381-4388-9302-FF05C97A27DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE03D7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14516	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0xEEFA8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14515	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0xEEFFC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14514	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0xEEFD5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14513	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0xEEFFC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B7B43A46-62D0-D4BA-8996-D2170E94D0D1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59573 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14512	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0xEEFD5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B7B43A46-62D0-D4BA-8996-D2170E94D0D1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59572 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14511	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0xEEFA8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B7B43A46-62D0-D4BA-8996-D2170E94D0D1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59571 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14510	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0xEEE1A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B7B43A46-62D0-D4BA-8996-D2170E94D0D1} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59569 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14509	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:27 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0xED4F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3A9920B1-538E-D2E2-E735-44389FAE6D28} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59569 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14508	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0xEBE0C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14507	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-1106 Account Name: N-H2-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0xEBE0C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {8866BF95-E417-3FC7-BA7B-CEEB9E97D4C7} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14506	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-753316273-1299558169-1605783702-302628130 Account Name: 2CE6B1B1-AF19-4D75-9650-B65F22BD0912 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEBA3F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14505	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-753316273-1299558169-1605783702-302628130 Account Name: 2CE6B1B1-AF19-4D75-9650-B65F22BD0912 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEBA3F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14504	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-753316273-1299558169-1605783702-302628130 Account Name: 2CE6B1B1-AF19-4D75-9650-B65F22BD0912 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEBA3F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14503	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2CE6B1B1-AF19-4D75-9650-B65F22BD0912 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14502	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-753316273-1299558169-1605783702-302628130 Account Name: 2CE6B1B1-AF19-4D75-9650-B65F22BD0912 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEB82B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14501	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-753316273-1299558169-1605783702-302628130 Account Name: 2CE6B1B1-AF19-4D75-9650-B65F22BD0912 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEB82B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14500	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2CE6B1B1-AF19-4D75-9650-B65F22BD0912 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14499	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0xEB63E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EF194D98-FBB1-C1A4-2332-A5AD1502B55D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14498	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0xEB63E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14497	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0xEAE53 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59580 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14496	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0xEAE53 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14495	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0xEAE1C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14494	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0xEAE1C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14493	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0xEAE07 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14492	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0xEAE07 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14491	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0xEADF0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EF194D98-FBB1-C1A4-2332-A5AD1502B55D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14490	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0xEADF0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14489	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0xEADDF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EF194D98-FBB1-C1A4-2332-A5AD1502B55D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59577 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14488	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0xEADDF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14487	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0xEAC58 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {EF194D98-FBB1-C1A4-2332-A5AD1502B55D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59575 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14486	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0xEAC58 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14485	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0xEAC3C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14484	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0xEAC13 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14483	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0xEAC3C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59573 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14482	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0xEAC3C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14481	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0xEAC28 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14480	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0xEAC28 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59572 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14479	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0xEAC28 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14478	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0xEAC13 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59571 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14477	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0xEAC13 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14476	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon ID: 0xEABE8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9DB71E60-BE48-AF55-5B3D-968E9E102771} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.49 Source Port: 59569 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14475	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: Administrator Account Domain: CBCI-805046-2 Logon ID: 0xEABE8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14474	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4217821355-1222544601-346724481-1518836268 Account Name: FB66D8AB-8CD9-48DE-8198-AA142C9A875A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE9D28 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14473	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4217821355-1222544601-346724481-1518836268 Account Name: FB66D8AB-8CD9-48DE-8198-AA142C9A875A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE9D28 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14472	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4217821355-1222544601-346724481-1518836268 Account Name: FB66D8AB-8CD9-48DE-8198-AA142C9A875A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE9D28 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14471	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FB66D8AB-8CD9-48DE-8198-AA142C9A875A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14470	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4217821355-1222544601-346724481-1518836268 Account Name: FB66D8AB-8CD9-48DE-8198-AA142C9A875A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE8E38 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14469	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4217821355-1222544601-346724481-1518836268 Account Name: FB66D8AB-8CD9-48DE-8198-AA142C9A875A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE9038 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14468	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4217821355-1222544601-346724481-1518836268 Account Name: FB66D8AB-8CD9-48DE-8198-AA142C9A875A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE9038 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14467	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FB66D8AB-8CD9-48DE-8198-AA142C9A875A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14466	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4217821355-1222544601-346724481-1518836268 Account Name: FB66D8AB-8CD9-48DE-8198-AA142C9A875A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE8FDF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14465	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4217821355-1222544601-346724481-1518836268 Account Name: FB66D8AB-8CD9-48DE-8198-AA142C9A875A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE8FDF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14464	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4217821355-1222544601-346724481-1518836268 Account Name: FB66D8AB-8CD9-48DE-8198-AA142C9A875A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE8FDF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14463	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FB66D8AB-8CD9-48DE-8198-AA142C9A875A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14462	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4217821355-1222544601-346724481-1518836268 Account Name: FB66D8AB-8CD9-48DE-8198-AA142C9A875A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE8F96 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14461	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4217821355-1222544601-346724481-1518836268 Account Name: FB66D8AB-8CD9-48DE-8198-AA142C9A875A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE8F96 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14460	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4217821355-1222544601-346724481-1518836268 Account Name: FB66D8AB-8CD9-48DE-8198-AA142C9A875A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE8F96 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14459	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FB66D8AB-8CD9-48DE-8198-AA142C9A875A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14458	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4217821355-1222544601-346724481-1518836268 Account Name: FB66D8AB-8CD9-48DE-8198-AA142C9A875A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE8E38 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14457	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4217821355-1222544601-346724481-1518836268 Account Name: FB66D8AB-8CD9-48DE-8198-AA142C9A875A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE8E38 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14456	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FB66D8AB-8CD9-48DE-8198-AA142C9A875A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14455	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:23 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3011010347-1133032321-100598419-3743906505 Account Name: B3785F2B-B381-4388-9302-FF05C97A27DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE74B8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14454	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3011010347-1133032321-100598419-3743906505 Account Name: B3785F2B-B381-4388-9302-FF05C97A27DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE74B8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14453	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3011010347-1133032321-100598419-3743906505 Account Name: B3785F2B-B381-4388-9302-FF05C97A27DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE74B8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14452	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B3785F2B-B381-4388-9302-FF05C97A27DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14451	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:22 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2672118552-1247953175-4209399942-3295461771 Account Name: 9F454B18-4117-4A62-8658-E6FA8BC16CC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCC8BA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14450	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3011010347-1133032321-100598419-3743906505 Account Name: B3785F2B-B381-4388-9302-FF05C97A27DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE205F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14449	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3011010347-1133032321-100598419-3743906505 Account Name: B3785F2B-B381-4388-9302-FF05C97A27DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE205F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14448	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3011010347-1133032321-100598419-3743906505 Account Name: B3785F2B-B381-4388-9302-FF05C97A27DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE205F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14447	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B3785F2B-B381-4388-9302-FF05C97A27DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14446	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:15 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3011010347-1133032321-100598419-3743906505 Account Name: B3785F2B-B381-4388-9302-FF05C97A27DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDFC03 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14445	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3011010347-1133032321-100598419-3743906505 Account Name: B3785F2B-B381-4388-9302-FF05C97A27DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE03D7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14444	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3011010347-1133032321-100598419-3743906505 Account Name: B3785F2B-B381-4388-9302-FF05C97A27DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE03D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14443	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B3785F2B-B381-4388-9302-FF05C97A27DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14442	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3011010347-1133032321-100598419-3743906505 Account Name: B3785F2B-B381-4388-9302-FF05C97A27DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE00C9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14441	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3011010347-1133032321-100598419-3743906505 Account Name: B3785F2B-B381-4388-9302-FF05C97A27DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE00C9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14440	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3011010347-1133032321-100598419-3743906505 Account Name: B3785F2B-B381-4388-9302-FF05C97A27DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE00C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14439	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B3785F2B-B381-4388-9302-FF05C97A27DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14438	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3011010347-1133032321-100598419-3743906505 Account Name: B3785F2B-B381-4388-9302-FF05C97A27DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDFF03 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14437	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3011010347-1133032321-100598419-3743906505 Account Name: B3785F2B-B381-4388-9302-FF05C97A27DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDFF03 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14436	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3011010347-1133032321-100598419-3743906505 Account Name: B3785F2B-B381-4388-9302-FF05C97A27DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDFF03 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14435	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B3785F2B-B381-4388-9302-FF05C97A27DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14434	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3011010347-1133032321-100598419-3743906505 Account Name: B3785F2B-B381-4388-9302-FF05C97A27DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDFC03 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14433	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3011010347-1133032321-100598419-3743906505 Account Name: B3785F2B-B381-4388-9302-FF05C97A27DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDFC03 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14432	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B3785F2B-B381-4388-9302-FF05C97A27DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14431	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:14 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3140394263-1331095691-172051869-707649102 Account Name: BB2E9D17-E88B-4F56-9D4D-410A4EDE2D2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC5CF1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14430	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2672118552-1247953175-4209399942-3295461771 Account Name: 9F454B18-4117-4A62-8658-E6FA8BC16CC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD6F34 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14429	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2672118552-1247953175-4209399942-3295461771 Account Name: 9F454B18-4117-4A62-8658-E6FA8BC16CC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD6F34 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14428	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:01 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2672118552-1247953175-4209399942-3295461771 Account Name: 9F454B18-4117-4A62-8658-E6FA8BC16CC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD6F34 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14427	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:01 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9F454B18-4117-4A62-8658-E6FA8BC16CC4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14426	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:01 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3140394263-1331095691-172051869-707649102 Account Name: BB2E9D17-E88B-4F56-9D4D-410A4EDE2D2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD3241 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14425	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:00 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3140394263-1331095691-172051869-707649102 Account Name: BB2E9D17-E88B-4F56-9D4D-410A4EDE2D2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD3241 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14424	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:00 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3140394263-1331095691-172051869-707649102 Account Name: BB2E9D17-E88B-4F56-9D4D-410A4EDE2D2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD3241 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14423	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:00 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BB2E9D17-E88B-4F56-9D4D-410A4EDE2D2A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14422	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:31:00 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2672118552-1247953175-4209399942-3295461771 Account Name: 9F454B18-4117-4A62-8658-E6FA8BC16CC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCD5A1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14421	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:52 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2672118552-1247953175-4209399942-3295461771 Account Name: 9F454B18-4117-4A62-8658-E6FA8BC16CC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCD5A1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14420	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:52 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2672118552-1247953175-4209399942-3295461771 Account Name: 9F454B18-4117-4A62-8658-E6FA8BC16CC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCD5A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14419	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:52 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9F454B18-4117-4A62-8658-E6FA8BC16CC4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14418	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:52 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2672118552-1247953175-4209399942-3295461771 Account Name: 9F454B18-4117-4A62-8658-E6FA8BC16CC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCC76C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14417	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2672118552-1247953175-4209399942-3295461771 Account Name: 9F454B18-4117-4A62-8658-E6FA8BC16CC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCC8BA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14416	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2672118552-1247953175-4209399942-3295461771 Account Name: 9F454B18-4117-4A62-8658-E6FA8BC16CC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCC8BA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14415	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9F454B18-4117-4A62-8658-E6FA8BC16CC4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14414	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2672118552-1247953175-4209399942-3295461771 Account Name: 9F454B18-4117-4A62-8658-E6FA8BC16CC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCC861 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14413	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2672118552-1247953175-4209399942-3295461771 Account Name: 9F454B18-4117-4A62-8658-E6FA8BC16CC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCC861 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14412	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2672118552-1247953175-4209399942-3295461771 Account Name: 9F454B18-4117-4A62-8658-E6FA8BC16CC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCC861 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14411	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9F454B18-4117-4A62-8658-E6FA8BC16CC4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14410	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2672118552-1247953175-4209399942-3295461771 Account Name: 9F454B18-4117-4A62-8658-E6FA8BC16CC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCC818 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14409	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2672118552-1247953175-4209399942-3295461771 Account Name: 9F454B18-4117-4A62-8658-E6FA8BC16CC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCC818 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14408	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2672118552-1247953175-4209399942-3295461771 Account Name: 9F454B18-4117-4A62-8658-E6FA8BC16CC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCC818 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14407	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9F454B18-4117-4A62-8658-E6FA8BC16CC4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14406	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2672118552-1247953175-4209399942-3295461771 Account Name: 9F454B18-4117-4A62-8658-E6FA8BC16CC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCC76C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14405	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2672118552-1247953175-4209399942-3295461771 Account Name: 9F454B18-4117-4A62-8658-E6FA8BC16CC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCC76C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14404	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9F454B18-4117-4A62-8658-E6FA8BC16CC4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14403	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:51 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3140394263-1331095691-172051869-707649102 Account Name: BB2E9D17-E88B-4F56-9D4D-410A4EDE2D2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC995F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14402	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3140394263-1331095691-172051869-707649102 Account Name: BB2E9D17-E88B-4F56-9D4D-410A4EDE2D2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC995F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14401	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3140394263-1331095691-172051869-707649102 Account Name: BB2E9D17-E88B-4F56-9D4D-410A4EDE2D2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC995F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14400	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BB2E9D17-E88B-4F56-9D4D-410A4EDE2D2A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14399	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14398	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14397	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3140394263-1331095691-172051869-707649102 Account Name: BB2E9D17-E88B-4F56-9D4D-410A4EDE2D2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC30A4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14396	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3140394263-1331095691-172051869-707649102 Account Name: BB2E9D17-E88B-4F56-9D4D-410A4EDE2D2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC5CF1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14395	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3140394263-1331095691-172051869-707649102 Account Name: BB2E9D17-E88B-4F56-9D4D-410A4EDE2D2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC5CF1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14394	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BB2E9D17-E88B-4F56-9D4D-410A4EDE2D2A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14393	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3140394263-1331095691-172051869-707649102 Account Name: BB2E9D17-E88B-4F56-9D4D-410A4EDE2D2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC47FC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14392	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3140394263-1331095691-172051869-707649102 Account Name: BB2E9D17-E88B-4F56-9D4D-410A4EDE2D2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC47FC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14391	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3140394263-1331095691-172051869-707649102 Account Name: BB2E9D17-E88B-4F56-9D4D-410A4EDE2D2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC47FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14390	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BB2E9D17-E88B-4F56-9D4D-410A4EDE2D2A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14389	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3140394263-1331095691-172051869-707649102 Account Name: BB2E9D17-E88B-4F56-9D4D-410A4EDE2D2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC3C3F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14388	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3140394263-1331095691-172051869-707649102 Account Name: BB2E9D17-E88B-4F56-9D4D-410A4EDE2D2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC3C3F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14387	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3140394263-1331095691-172051869-707649102 Account Name: BB2E9D17-E88B-4F56-9D4D-410A4EDE2D2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC3C3F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14386	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BB2E9D17-E88B-4F56-9D4D-410A4EDE2D2A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14385	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3140394263-1331095691-172051869-707649102 Account Name: BB2E9D17-E88B-4F56-9D4D-410A4EDE2D2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC30A4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14384	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3140394263-1331095691-172051869-707649102 Account Name: BB2E9D17-E88B-4F56-9D4D-410A4EDE2D2A Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC30A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14383	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BB2E9D17-E88B-4F56-9D4D-410A4EDE2D2A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14382	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:30:48 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0		0	12292	0	-9214364837600034816	14381	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:29:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14380	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:29:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_8bdcdd07-8460-467e-8f94-2d70c264125f Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14379	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:29:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x24357 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xb3c Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	4799	0		0	13826	0	-9214364837600034816	14378	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:29:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x15AFA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14377	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:28:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: administrator Account Domain: CBCI-805046-2 Logon ID: 0x6E0E7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14376	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: administrator Account Domain: CBCI-805046-2 Logon ID: 0x6E0E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {D38DC93A-BEBC-71A2-6FEB-8243D7508C20} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H1-805046-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14375	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: administrator Account Domain: CBCI-805046-2 Logon GUID: {D38DC93A-BEBC-71A2-6FEB-8243D7508C20} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14374	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:59 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5b8 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14373	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:55 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: administrator Account Domain: CBCI-805046-2 Logon ID: 0x550C1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14372	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:53 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2542573344-3901350956-1593319522-500 Account Name: administrator Account Domain: CBCI-805046-2 Logon ID: 0x550C1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {BA942164-53D0-EB98-735F-B1FA01F2D478} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H1-805046-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14371	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:53 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: administrator Account Domain: CBCI-805046-2 Logon GUID: {BA942164-53D0-EB98-735F-B1FA01F2D478} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14370	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:53 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x4F607 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14369	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x4F607 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B926283B-51DB-4C40-DD10-DCECD07F9C16} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14368	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x4F607 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14367	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon GUID: {E57CF153-89FD-C718-E540-555AD3BBD56B} Target Server: Target Server Name: n-h1-805046-2$ Additional Information: n-h1-805046-2$ Process Information: Process ID: 0xfa8 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14366	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:46 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x4DA2C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14365	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x4DA2C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {96A24C8A-3855-0694-A2D3-35D17024A29D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14364	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x4DA2C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14363	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	848	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:45 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x404C3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14362	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x404C3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2B47ABDA-C789-3139-6EE7-DD6CFC9D89EC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14361	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x404C3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14360	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon GUID: {D20F5E46-9088-0E56-8722-3D461A788490} Target Server: Target Server Name: n-h1-805046-2$ Additional Information: n-h1-805046-2$ Process Information: Process ID: 0x12ec Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14359	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E11E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14358	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x3E11E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {96A24C8A-3855-0694-A2D3-35D17024A29D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14357	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E11E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14356	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:36 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x2C32F Logon Type: 4 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14355	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
System security access was granted to an account. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x24357 Account Modified: Account Name: S-1-5-21-2542573344-3901350956-1593319522-500 Access Granted: Access Right: SeServiceLogonRight	4717	0		0	13569	0	-9214364837600034816	14354	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:26 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Authentication Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14353	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14352	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:21 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x32E3C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14351	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:20 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x32E3C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {3C260595-8D9E-27C0-942F-17097E5E4E23} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14350	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:20 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x32E3C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14349	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:20 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon GUID: {12F24248-F8BF-F446-9A18-150AA78CF282} Target Server: Target Server Name: n-h1-805046-2$ Additional Information: n-h1-805046-2$ Process Information: Process ID: 0xa1c Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14348	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:20 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x2C32F Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14347	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x15AFA Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x2C32F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9a0 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: N-H1-805046-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14346	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H1-805046-2 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14345	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:16 PM	213e37db-96ba-0005-0338-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x15AFA Target Account: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2	4724	0		0	13824	0	-9214364837600034816	14344	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x15AFA Target Account: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/21/2021 6:27:16 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14343	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x15AFA User: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Process Information: Process ID: 0x9a0 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	14342	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x15AFA User: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Process Information: Process ID: 0x9a0 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	14341	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:16 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5b8 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14340	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x246FD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14339	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x246FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {96A24C8A-3855-0694-A2D3-35D17024A29D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14338	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x246FD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14337	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x24357 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14336	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x24357 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x498 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-805046-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14335	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-805046-2 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x498 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14334	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-805046-2 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14333	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:13 PM	213e37db-96ba-0005-ff37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe	4799	0		0	13826	0	-9214364837600034816	14332	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x9e4 Process Name: C:\Windows\System32\vmms.exe	4799	0		0	13826	0	-9214364837600034816	14331	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d426d04a-5c7a-41d8-ba53-1260eec698e3 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14330	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d426d04a-5c7a-41d8-ba53-1260eec698e3 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\dd1d5c87532e7603e6c1f0640965d77c_8bdcdd07-8460-467e-8f94-2d70c264125f Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14329	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14328	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14327	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:13 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14326	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14325	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Domain: Domain Name: N-H1-805046-2 Domain ID: S-1-5-21-1584718402-3362625617-540748525 Changed Attributes: Min. Password Age: Max. Password Age: Force Logoff: Lockout Threshold: Lockout Observation Window: Lockout Duration: Password Properties: - Min. Password Length: - Password History Length: - Machine Account Quota: - Mixed Domain Mode: 1 Domain Behavior Version: 7 OEM Information: 24 Additional Information: Privileges: -	4739	0		0	13569	0	-9214364837600034816	14324	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:12 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Authentication Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.	5024	0		0	12292	0	-9214364837600034816	14323	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x1B3B8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14322	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1B3B8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9E79D347-F5BD-D239-A1D5-5906AD301880} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14321	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x1B3B8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14320	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x1A756 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14319	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14318	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_8bdcdd07-8460-467e-8f94-2d70c264125f Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14317	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14316	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_8bdcdd07-8460-467e-8f94-2d70c264125f Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14315	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2.LOCAL Logon ID: 0x1A756 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9E79D347-F5BD-D239-A1D5-5906AD301880} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14314	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x1A756 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14313	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5b8 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14312	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x17AFE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14311	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2280	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:10 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14310	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2284	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14309	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2284	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x15AFA Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14308	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2284	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x15AFA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H1-805046-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14307	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2284	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14306	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2284	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14305	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2276	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14304	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2276	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H1-805046-2 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14303	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2284	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0004-fb37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x498 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14302	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2272	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x498 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14301	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2276	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14300	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2284	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14299	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2284	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14298	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2284	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14297	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2284	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14296	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2276	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14295	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2276	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14294	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2276	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14293	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2276	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.	5033	0		0	12292	0	-9214364837600034816	14292	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	500	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x5b8 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14291	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5b8 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14290	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x604 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14289	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	868	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x604 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14288	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	868	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x604 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14287	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	868	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x604 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14286	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	868	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x604 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14285	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	868	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x604 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14284	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	868	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:09 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x604 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14283	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x604 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14282	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14281	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14280	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14279	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14278	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14277	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14276	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:08 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x3f8 Name: C:\Windows\System32\svchost.exe Previous Time: ?2021?-?08?-?21T18:27:07.924468300Z New Time: ?2021?-?08?-?21T18:27:08.427000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1		0	12288	0	-9214364837600034816	14275	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14274	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:07 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14273	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	796	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:07 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14272	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:07 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14271	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	868	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:07 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14270	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:07 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14269	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:07 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xBD40 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege	4672	0		0	12548	0	-9214364837600034816	14268	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:07 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xBD01 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14267	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:07 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xBD40 Linked Logon ID: 0xBD01 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14266	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:07 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xBD01 Linked Logon ID: 0xBD40 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14265	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:07 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14264	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:07 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14263	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:07 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14262	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	904	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:07 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14261	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	868	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: CBCI-805046-2 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14260	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	868	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:06 PM	213e37db-96ba-0002-df37-3e21ba96d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x6517	4902	0		0	13568	0	-9214364837600034816	14259	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	864	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:06 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14258	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	820	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.	4608	0		0	12288	0	-9214364837600034816	14257	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	820	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x330 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b0 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14256	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	384	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x320 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b0 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14255	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	384	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d4 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x28c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14254	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	384	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b0 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x238 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14253	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	504	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x298 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x28c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14252	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	504	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x28c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14251	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	504	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x240 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x238 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14250	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	384	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x238 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14249	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	384	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x20c New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14248	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:02 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14247	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	208	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d0 New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14246	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No	4826	0		0	13573	0	-9214364837600034816	14245	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h1-805046-2.cbci-805046-2.local		8/21/2021 6:27:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other Policy Change Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x5b0 Name: C:\Windows\System32\svchost.exe Previous Time: ?2021?-?08?-?21T18:26:51.993395400Z New Time: ?2021?-?08?-?21T18:26:51.986000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1		0	12288	0	-9214364837600034816	14244	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	3812	n-h1-805046-2		8/21/2021 6:26:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.	1100	0		4	103	0	4620693217682128896	14243	Microsoft-Windows-Eventlog	fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148	Security	1448	3960	n-h1-805046-2		8/21/2021 6:26:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Service shutdown	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x8347E4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14242	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 6:26:50 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x8347E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x548 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-805046-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14241	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 6:26:50 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-805046-2 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x548 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14240	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 6:26:50 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-805046-2 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14239	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 6:26:50 PM	68755f95-96b5-0003-c279-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x131FDF Member: Security ID: S-1-5-21-2542573344-3901350956-1593319522-513 Account Name: - Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Additional Information: Privileges: -	4732	0		0	13826	0	-9214364837600034816	14238	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2036	n-h1-805046-2		8/21/2021 6:26:47 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x131FDF Member: Security ID: S-1-5-21-2542573344-3901350956-1593319522-512 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -	4732	0		0	13826	0	-9214364837600034816	14237	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 6:26:47 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x131FDF Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-805046-2.cbci-805046-2.local Additional Information: cifs/n-ad-805046-2.cbci-805046-2.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.16 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14236	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	176	n-h1-805046-2		8/21/2021 6:26:47 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x131FDF Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-805046-2.cbci-805046-2.local Additional Information: cifs/n-ad-805046-2.cbci-805046-2.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.16 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14235	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	176	n-h1-805046-2		8/21/2021 6:26:47 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x131FDF Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-805046-2.cbci-805046-2.local Additional Information: cifs/n-ad-805046-2.cbci-805046-2.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.16 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14234	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 6:26:47 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x131FDF Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-805046-2.cbci-805046-2.local Additional Information: cifs/n-ad-805046-2.cbci-805046-2.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.16 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14233	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2036	n-h1-805046-2		8/21/2021 6:26:47 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x131FDF Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-805046-2.cbci-805046-2.local Additional Information: cifs/n-ad-805046-2.cbci-805046-2.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.16 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14232	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 6:26:47 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x131FDF Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-805046-2.cbci-805046-2.local Additional Information: cifs/n-ad-805046-2.cbci-805046-2.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.16 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14231	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2036	n-h1-805046-2		8/21/2021 6:26:47 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x131FDF Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-805046-2.cbci-805046-2.local Additional Information: cifs/n-ad-805046-2.cbci-805046-2.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.16 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14230	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	2036	n-h1-805046-2		8/21/2021 6:26:47 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x131FDF Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-805046-2.cbci-805046-2.local Additional Information: LDAP/n-ad-805046-2.cbci-805046-2.local Process Information: Process ID: 0x548 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 10.222.0.16 Port: 49666 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14229	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 6:26:47 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x131FDF Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon GUID: {CC73A0DF-2ACA-243C-B7C4-4413C1673DA2} Target Server: Target Server Name: n-ad-805046-2.cbci-805046-2.local Additional Information: ldap/n-ad-805046-2.cbci-805046-2.local Process Information: Process ID: 0x548 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14228	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 6:26:47 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x131FDF Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-805046-2.LOCAL Logon GUID: {CC73A0DF-2ACA-243C-B7C4-4413C1673DA2} Target Server: Target Server Name: n-ad-805046-2.cbci-805046-2.local Additional Information: cifs/n-ad-805046-2.cbci-805046-2.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.16 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14227	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 6:26:47 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x131FDF Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1224 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	4799	0		0	13826	0	-9214364837600034816	14226	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 6:26:31 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14225	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 6:16:03 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14224	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 6:16:03 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14223	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 6:01:12 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14222	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 6:01:12 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x131FDF User: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Process Information: Process ID: 0xbbc Process Name: C:\Program Files\Git\usr\bin\bash.exe	4798	0		0	13824	0	-9214364837600034816	14221	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 6:00:55 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x131FDF User: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Process Information: Process ID: 0x1128 Process Name: C:\Program Files\Git\usr\bin\bash.exe	4798	0		0	13824	0	-9214364837600034816	14220	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 6:00:54 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x131FDF User: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Process Information: Process ID: 0x6e0 Process Name: C:\Program Files\Git\usr\bin\bash.exe	4798	0		0	13824	0	-9214364837600034816	14219	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 6:00:54 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x131FDF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14218	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:57:11 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x131FDF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x548 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-805046-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14217	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:57:11 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-805046-2 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x548 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14216	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:57:11 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-805046-2 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14215	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:57:11 PM	68755f95-96b5-0000-b863-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x11EAEA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14214	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:57:05 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x11EAEA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x548 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-805046-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14213	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:57:05 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-805046-2 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x548 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14212	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:57:05 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-805046-2 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14211	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:57:05 PM	68755f95-96b5-0005-3561-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14210	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:57:04 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14209	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:57:04 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x11A155 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14208	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 5:57:02 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x11A155 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x548 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-805046-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14207	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 5:57:02 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-805046-2 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x548 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14206	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 5:57:02 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-805046-2 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14205	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 5:57:02 PM	68755f95-96b5-0001-5264-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x92884 Target Account: Security ID: S-1-5-21-1584718402-3362625617-540748525-500 Account Name: Administrator Account Domain: N-H1-805046-2	4724	0		0	13824	0	-9214364837600034816	14204	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:56:20 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x92884 Target Account: Security ID: S-1-5-21-1584718402-3362625617-540748525-500 Account Name: Administrator Account Domain: N-H1-805046-2 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/21/2021 5:56:20 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14203	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:56:20 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x92884 User: Security ID: S-1-5-21-1584718402-3362625617-540748525-500 Account Name: Administrator Account Domain: N-H1-805046-2 Process Information: Process ID: 0x664 Process Name: C:\Windows\System32\net1.exe	4798	0		0	13824	0	-9214364837600034816	14202	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:56:20 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x92884 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xfac Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	4799	0		0	13826	0	-9214364837600034816	14201	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:56:03 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0		0	12292	0	-9214364837600034816	14200	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 5:55:34 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0		0	12292	0	-9214364837600034816	14199	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 5:55:34 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0		0	12292	0	-9214364837600034816	14198	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:55:34 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14197	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:55:34 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_8bdcdd07-8460-467e-8f94-2d70c264125f Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14196	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:55:34 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Create Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14195	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 5:55:34 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_8bdcdd07-8460-467e-8f94-2d70c264125f Operation: Write persisted key to file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14194	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 5:55:34 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x80090016	5061	0		0	12290	0	-9218868437227405312	14193	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:55:34 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Delete key file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14192	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:55:34 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14191	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:55:34 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14190	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:55:34 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0		0	12292	0	-9214364837600034816	14189	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:55:34 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14188	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:55:34 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14187	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:55:34 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x2C630 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14186	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 5:54:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x5b0 Name: C:\Windows\System32\svchost.exe Previous Time: ?2021?-?08?-?21T17:54:33.765879900Z New Time: ?2021?-?08?-?21T17:54:33.751000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1		0	12288	0	-9214364837600034816	14185	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	508	n-h1-805046-2		8/21/2021 5:54:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x92884 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14184	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:27 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x92884 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x548 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-805046-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14183	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:27 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-805046-2 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x548 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14182	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:27 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-805046-2 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14181	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:27 PM	68755f95-96b5-0001-c761-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x8F854 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14180	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x8F854 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14179	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:22 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x5299F Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x8F854 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x548 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-805046-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14178	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:22 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x5299F Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-805046-2 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x548 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14177	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:22 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-805046-2 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14176	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:22 PM	68755f95-96b5-0004-4060-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d426d04a-5c7a-41d8-ba53-1260eec698e3 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14175	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:54:22 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d426d04a-5c7a-41d8-ba53-1260eec698e3 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\dd1d5c87532e7603e6c1f0640965d77c_8bdcdd07-8460-467e-8f94-2d70c264125f Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14174	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:54:22 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x5299F Target Account: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2	4724	0		0	13824	0	-9214364837600034816	14173	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:20 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x5299F Target Account: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Changed Attributes: SAM Account Name: Admin Display Name: Admin User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/21/2021 5:54:20 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14172	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:20 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x5299F User: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Process Information: Process ID: 0x63c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	14171	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:20 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x5299F User: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Process Information: Process ID: 0x63c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	14170	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:20 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x5299F User: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Process Information: Process ID: 0x63c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	14169	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:20 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14168	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:16 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14167	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:16 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x5299F User: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Process Information: Process ID: 0x63c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	14166	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:16 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x5299F Member: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -	4732	0		0	13826	0	-9214364837600034816	14165	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:15 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x7995C Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14164	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x5299F Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x248 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14163	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:15 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x5299F Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Logon ID: 0x7995C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x63c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: N-H1-805046-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14162	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:13 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x5299F Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-805046-2 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x63c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14161	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:13 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-805046-2 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14160	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:13 PM	68755f95-96b5-0000-1a60-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x5299F Target Account: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2	4724	0		0	13824	0	-9214364837600034816	14159	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:09 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x5299F Target Account: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Changed Attributes: SAM Account Name: Admin Display Name: Admin User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/21/2021 5:54:09 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x15 New UAC Value: 0x210 User Account Control: Account Enabled 'Password Not Required' - Disabled 'Don't Expire Password' - Enabled User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14158	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:09 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was enabled. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x5299F Target Account: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2	4722	0		0	13824	0	-9214364837600034816	14157	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:09 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was created. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x5299F New Account: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: Admin Account Domain: N-H1-805046-2 Attributes: SAM Account Name: Admin Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x15 User Account Control: Account Disabled 'Password Not Required' - Enabled 'Normal Account' - Enabled User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges -	4720	0		0	13824	0	-9214364837600034816	14156	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:09 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled global group. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x5299F Member: Security ID: S-1-5-21-1584718402-3362625617-540748525-1001 Account Name: - Group: Security ID: S-1-5-21-1584718402-3362625617-540748525-513 Group Name: None Group Domain: N-H1-805046-2 Additional Information: Privileges: -	4728	0		0	13826	0	-9214364837600034816	14155	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:54:09 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x5299F Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14154	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:45 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x2C630 Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x5299F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xff4 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: N-H1-805046-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14153	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:45 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H1-805046-2 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14152	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:45 PM	68755f95-96b5-0003-0560-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x2C630 Target Account: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2	4724	0		0	13824	0	-9214364837600034816	14151	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:45 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x2C630 Target Account: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/21/2021 5:53:45 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14150	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:45 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x2C630 User: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Process Information: Process ID: 0xff4 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	14149	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:45 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x2C630 User: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Process Information: Process ID: 0xff4 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	14148	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:45 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14147	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:45 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14146	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:45 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account failed to log on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Type: 2 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: Administrator Account Domain: N-H1-805046-2 Failure Information: Failure Reason: The specified account's password has expired. Status: 0xC0000224 Sub Status: 0x0 Process Information: Caller Process ID: 0x248 Caller Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-805046-2 Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4625	0		0	12544	0	-9218868437227405312	14145	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:44 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-1584718402-3362625617-540748525-500 Account Name: Administrator Account Domain: N-H1-805046-2 Process Information: Process ID: 0x4f8 Process Name: C:\Windows\System32\LogonUI.exe	4798	0		0	13824	0	-9214364837600034816	14144	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:44 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14143	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:41 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14142	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:41 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x9b0 Process Name: C:\Windows\System32\vmms.exe	4799	0		0	13826	0	-9214364837600034816	14141	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:40 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x9b0 Process Name: C:\Windows\System32\vmms.exe	4799	0		0	13826	0	-9214364837600034816	14140	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:40 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14139	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:40 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14138	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:40 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x248 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14137	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:39 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14136	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 5:53:38 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_8bdcdd07-8460-467e-8f94-2d70c264125f Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14135	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 5:53:38 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14134	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 5:53:38 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_8bdcdd07-8460-467e-8f94-2d70c264125f Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14133	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 5:53:38 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x2C630 Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14132	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:37 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon ID: 0x2C630 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H1-805046-2 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14131	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:37 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: cloudbase-init Account Domain: N-H1-805046-2 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14130	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:37 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H1-805046-2 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14129	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:37 PM	68755f95-96b5-0003-c75f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14128	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:35 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14127	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:35 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0		0	12292	0	-9214364837600034816	14126	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 5:53:35 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14125	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 5:53:35 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14124	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 5:53:35 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14123	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 5:53:35 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14122	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 5:53:35 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x248 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14121	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:35 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14120	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:34 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14119	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:34 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.	5024	0		0	12292	0	-9214364837600034816	14118	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:34 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x20353 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14117	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:33 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14116	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:33 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14115	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:33 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14114	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:33 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14113	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:33 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14112	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:33 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14111	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:33 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14110	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:33 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14109	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:33 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14108	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:33 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14107	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:33 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.	5033	0		0	12292	0	-9214364837600034816	14106	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	836	n-h1-805046-2		8/21/2021 5:53:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x248 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14105	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:33 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x248 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14104	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:33 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x548 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14103	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:33 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x548 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14102	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:33 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14101	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:32 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14100	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:32 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14099	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:32 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14098	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:32 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14097	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:32 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14096	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:32 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14095	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:32 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14094	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:32 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14093	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:32 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14092	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:32 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14091	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:32 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14090	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:32 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x5a8 Name: C:\Windows\System32\svchost.exe Previous Time: ?2021?-?08?-?21T17:53:31.175428700Z New Time: ?2021?-?08?-?21T17:53:32.238000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1		0	12288	0	-9214364837600034816	14089	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	508	n-h1-805046-2		8/21/2021 5:53:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14088	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:31 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14087	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:31 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Temp\winre\ExtractedFromWim Handle ID: 0x54c Process Information: Process ID: 0x520 Process Name: C:\Windows\System32\oobe\msoobe.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)	4907	0		0	13568	0	-9214364837600034816	14086	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	508	n-h1-805046-2		8/21/2021 5:53:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14085	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:30 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14084	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:30 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14083	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	856	n-h1-805046-2		8/21/2021 5:53:30 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14082	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:30 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-21-1584718402-3362625617-540748525-513 Group Name: None Group Domain: N-H1-805046-2 Changed Attributes: SAM Account Name: None SID History: - Additional Information: Privileges: -	4737	0		0	13826	0	-9214364837600034816	14081	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-1584718402-3362625617-540748525-513 Account Domain: N-H1-805046-2 Old Account Name: None New Account Name: None Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14080	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-21-1584718402-3362625617-540748525-513 Group Name: None Group Domain: N-H1-805046-2 Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4737	0		0	13826	0	-9214364837600034816	14079	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-1584718402-3362625617-540748525-503 Account Name: DefaultAccount Account Domain: N-H1-805046-2 Changed Attributes: SAM Account Name: DefaultAccount Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14078	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-1584718402-3362625617-540748525-503 Account Name: DefaultAccount Account Domain: N-H1-805046-2 Changed Attributes: SAM Account Name: DefaultAccount Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14077	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-1584718402-3362625617-540748525-501 Account Name: Guest Account Domain: N-H1-805046-2 Changed Attributes: SAM Account Name: Guest Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14076	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-1584718402-3362625617-540748525-501 Account Name: Guest Account Domain: N-H1-805046-2 Changed Attributes: SAM Account Name: Guest Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14075	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-1584718402-3362625617-540748525-500 Account Name: Administrator Account Domain: N-H1-805046-2 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14074	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-1584718402-3362625617-540748525-500 Account Name: Administrator Account Domain: N-H1-805046-2 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14073	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: System Managed Accounts Group SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14072	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-581 Account Domain: Builtin Old Account Name: System Managed Accounts Group New Account Name: System Managed Accounts Group Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14071	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14070	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-582 Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Storage Replica Administrators SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14069	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-582 Account Domain: Builtin Old Account Name: Storage Replica Administrators New Account Name: Storage Replica Administrators Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14068	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-582 Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14067	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Management Users SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14066	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-580 Account Domain: Builtin Old Account Name: Remote Management Users New Account Name: Remote Management Users Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14065	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14064	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-579 Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Access Control Assistance Operators SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14063	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-579 Account Domain: Builtin Old Account Name: Access Control Assistance Operators New Account Name: Access Control Assistance Operators Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14062	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-579 Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14061	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-578 Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Hyper-V Administrators SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14060	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-578 Account Domain: Builtin Old Account Name: Hyper-V Administrators New Account Name: Hyper-V Administrators Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14059	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-578 Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14058	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-577 Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Management Servers SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14057	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-577 Account Domain: Builtin Old Account Name: RDS Management Servers New Account Name: RDS Management Servers Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14056	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-577 Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14055	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-576 Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Endpoint Servers SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14054	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-576 Account Domain: Builtin Old Account Name: RDS Endpoint Servers New Account Name: RDS Endpoint Servers Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14053	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-576 Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14052	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-575 Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Remote Access Servers SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14051	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-575 Account Domain: Builtin Old Account Name: RDS Remote Access Servers New Account Name: RDS Remote Access Servers Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14050	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-575 Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14049	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-574 Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: Certificate Service DCOM Access SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14048	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-574 Account Domain: Builtin Old Account Name: Certificate Service DCOM Access New Account Name: Certificate Service DCOM Access Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14047	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-574 Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14046	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: Event Log Readers SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14045	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-573 Account Domain: Builtin Old Account Name: Event Log Readers New Account Name: Event Log Readers Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14044	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14043	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-569 Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Cryptographic Operators SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14042	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-569 Account Domain: Builtin Old Account Name: Cryptographic Operators New Account Name: Cryptographic Operators Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14041	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-569 Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14040	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: IIS_IUSRS SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14039	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-568 Account Domain: Builtin Old Account Name: IIS_IUSRS New Account Name: IIS_IUSRS Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14038	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14037	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: Distributed COM Users SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14036	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-562 Account Domain: Builtin Old Account Name: Distributed COM Users New Account Name: Distributed COM Users Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14035	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14034	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Log Users SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14033	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-559 Account Domain: Builtin Old Account Name: Performance Log Users New Account Name: Performance Log Users Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14032	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14031	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Monitor Users SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14030	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-558 Account Domain: Builtin Old Account Name: Performance Monitor Users New Account Name: Performance Monitor Users Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14029	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14028	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-547 Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: Power Users SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14027	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-547 Account Domain: Builtin Old Account Name: Power Users New Account Name: Power Users Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14026	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-547 Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14025	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-556 Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Network Configuration Operators SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14024	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-556 Account Domain: Builtin Old Account Name: Network Configuration Operators New Account Name: Network Configuration Operators Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14023	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-556 Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14022	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-555 Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Desktop Users SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14021	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-555 Account Domain: Builtin Old Account Name: Remote Desktop Users New Account Name: Remote Desktop Users Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14020	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-555 Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14019	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-552 Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: Replicator SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14018	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-552 Account Domain: Builtin Old Account Name: Replicator New Account Name: Replicator Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14017	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-552 Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14016	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Backup Operators SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14015	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-551 Account Domain: Builtin Old Account Name: Backup Operators New Account Name: Backup Operators Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14014	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14013	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: Guests SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14012	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-546 Account Domain: Builtin Old Account Name: Guests New Account Name: Guests Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14011	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14010	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: Users SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14009	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-545 Account Domain: Builtin Old Account Name: Users New Account Name: Users Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14008	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14007	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Administrators SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14006	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-544 Account Domain: Builtin Old Account Name: Administrators New Account Name: Administrators Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14005	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14004	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-550 Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Print Operators SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14003	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-550 Account Domain: Builtin Old Account Name: Print Operators New Account Name: Print Operators Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14002	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-550 Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14001	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:29 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14000	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:19 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13999	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:19 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13998	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:19 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13997	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:19 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13996	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:18 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13995	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:18 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13994	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:18 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13993	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:18 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB567 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege	4672	0		0	12548	0	-9214364837600034816	13992	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:18 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB554 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13991	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:18 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB567 Linked Logon ID: 0xB554 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13990	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:18 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB554 Linked Logon ID: 0xB567 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13989	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:18 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	13988	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	908	n-h1-805046-2		8/21/2021 5:53:18 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13987	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 5:53:18 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13986	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	912	n-h1-805046-2		8/21/2021 5:53:18 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13985	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:53:17 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-805046-2$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13984	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	872	n-h1-805046-2		8/21/2021 5:53:17 PM	68755f95-96b5-0002-995f-7568b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x61A5	4902	0		0	13568	0	-9214364837600034816	13983	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	880	n-h1-805046-2		8/21/2021 5:53:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13982	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	820	n-h1-805046-2		8/21/2021 5:53:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.	4608	0		0	12288	0	-9214364837600034816	13981	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	816	820	n-h1-805046-2		8/21/2021 5:53:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x330 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b0 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13980	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	512	n-h1-805046-2		8/21/2021 5:53:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x320 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b0 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13979	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	512	n-h1-805046-2		8/21/2021 5:53:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d4 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x290 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13978	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	512	n-h1-805046-2		8/21/2021 5:53:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b0 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x248 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13977	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	512	n-h1-805046-2		8/21/2021 5:53:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x298 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x290 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13976	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	512	n-h1-805046-2		8/21/2021 5:53:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x290 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13975	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	512	n-h1-805046-2		8/21/2021 5:53:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x250 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x248 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13974	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	188	n-h1-805046-2		8/21/2021 5:53:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x248 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13973	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	188	n-h1-805046-2		8/21/2021 5:53:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x218 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13972	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	228	n-h1-805046-2		8/21/2021 5:53:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13971	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h1-805046-2		8/21/2021 5:53:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d0 New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13970	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h1-805046-2		8/21/2021 5:53:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No	4826	0		0	13573	0	-9214364837600034816	13969	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h1-805046-2		8/21/2021 5:53:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other Policy Change Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x5e4 Name: C:\Windows\System32\svchost.exe Previous Time: ?2021?-?08?-?21T17:53:04.881996600Z New Time: ?2021?-?08?-?21T17:53:04.878000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1		0	12288	0	-9214364837600034816	13968	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	584	WIN-5T344G8GM1H		8/21/2021 5:53:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.	1100	0		4	103	0	4620693217682128896	13967	Microsoft-Windows-Eventlog	fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148	Security	1328	1564	WIN-5T344G8GM1H		8/21/2021 5:53:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Service shutdown	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13966	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	WIN-5T344G8GM1H		8/21/2021 5:53:00 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13965	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	WIN-5T344G8GM1H		8/21/2021 5:53:00 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H	4724	0		0	13824	0	-9214364837600034816	13964	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	WIN-5T344G8GM1H		8/21/2021 5:52:46 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/21/2021 5:52:46 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	13963	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	WIN-5T344G8GM1H		8/21/2021 5:52:46 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xa78 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	13962	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	WIN-5T344G8GM1H		8/21/2021 5:52:46 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-1584718402-3362625617-540748525-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xa78 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	13961	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	WIN-5T344G8GM1H		8/21/2021 5:52:46 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Temp\winre\ExtractedFromWim Handle ID: 0x2d0 Process Information: Process ID: 0x4b8 Process Name: C:\Windows\System32\oobe\Setup.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)	4907	0		0	13568	0	-9214364837600034816	13960	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	472	WIN-5T344G8GM1H		8/21/2021 5:52:21 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13959	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	WIN-5T344G8GM1H		8/21/2021 5:52:15 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13958	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	WIN-5T344G8GM1H		8/21/2021 5:52:15 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.	5024	0		0	12292	0	-9214364837600034816	13957	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	WIN-5T344G8GM1H		8/21/2021 5:52:12 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x63212 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13956	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	WIN-5T344G8GM1H		8/21/2021 5:52:11 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13955	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:11 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13954	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:11 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13953	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:11 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13952	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:11 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13951	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:11 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13950	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:11 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13949	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:10 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13948	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:10 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13947	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:10 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13946	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:10 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.	5033	0		0	12292	0	-9214364837600034816	13945	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	240	WIN-5T344G8GM1H		8/21/2021 5:52:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13944	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:10 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13943	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:10 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13942	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	WIN-5T344G8GM1H		8/21/2021 5:52:09 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13941	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	WIN-5T344G8GM1H		8/21/2021 5:52:09 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x530 Name: C:\Windows\System32\svchost.exe Previous Time: ?2021?-?08?-?21T17:52:09.077613200Z New Time: ?2021?-?08?-?21T17:52:09.770000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1		0	12288	0	-9214364837600034816	13940	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	240	WIN-5T344G8GM1H		8/21/2021 5:52:09 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13939	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	WIN-5T344G8GM1H		8/21/2021 5:52:09 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13938	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	WIN-5T344G8GM1H		8/21/2021 5:52:09 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13937	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:08 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13936	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:08 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13935	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:01 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13934	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:01 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13933	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:01 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13932	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:01 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13931	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:00 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13930	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:00 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13929	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:00 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13928	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:00 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x574F1 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege	4672	0		0	12548	0	-9214364837600034816	13927	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:00 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x574D3 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13926	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:00 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x574F1 Linked Logon ID: 0x574D3 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13925	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:00 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x574D3 Linked Logon ID: 0x574F1 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13924	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:00 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	13923	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	WIN-5T344G8GM1H		8/21/2021 5:52:00 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13922	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	WIN-5T344G8GM1H		8/21/2021 5:52:00 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13921	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	908	WIN-5T344G8GM1H		8/21/2021 5:52:00 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13920	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	WIN-5T344G8GM1H		8/21/2021 5:51:59 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13919	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	WIN-5T344G8GM1H		8/21/2021 5:51:59 PM	30907657-96b5-0004-5d76-9030b596d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x500E2	4902	0		0	13568	0	-9214364837600034816	13918	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	868	WIN-5T344G8GM1H		8/21/2021 5:51:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13917	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	824	WIN-5T344G8GM1H		8/21/2021 5:51:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.	4608	0		0	12288	0	-9214364837600034816	13916	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	824	WIN-5T344G8GM1H		8/21/2021 5:51:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x334 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b4 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13915	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	32	WIN-5T344G8GM1H		8/21/2021 5:51:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x324 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b4 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13914	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	32	WIN-5T344G8GM1H		8/21/2021 5:51:58 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2dc New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x294 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13913	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	568	WIN-5T344G8GM1H		8/21/2021 5:51:58 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b4 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x254 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13912	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	568	WIN-5T344G8GM1H		8/21/2021 5:51:58 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x29c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x294 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13911	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	568	WIN-5T344G8GM1H		8/21/2021 5:51:58 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x294 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13910	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	568	WIN-5T344G8GM1H		8/21/2021 5:51:58 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x25c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x254 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13909	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	592	WIN-5T344G8GM1H		8/21/2021 5:51:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x254 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13908	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	592	WIN-5T344G8GM1H		8/21/2021 5:51:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x23c New Process Name: C:\Windows\System32\setupcl.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13907	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	472	WIN-5T344G8GM1H		8/21/2021 5:51:42 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x20c New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13906	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	240	WIN-5T344G8GM1H		8/21/2021 5:51:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e8 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13905	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H		8/21/2021 5:51:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e4 New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13904	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H		8/21/2021 5:51:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No	4826	0		0	13573	0	-9214364837600034816	13903	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H		8/21/2021 5:51:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other Policy Change Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x4dc Name: C:\Windows\System32\svchost.exe Previous Time: ?2018?-?01?-?19T09:48:13.164762500Z New Time: ?2018?-?01?-?19T09:48:13.152000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1		0	12288	0	-9214364837600034816	13902	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	1980	WIN-5T344G8GM1H		1/19/2018 9:48:13 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.	1100	0		4	103	0	4620693217682128896	13901	Microsoft-Windows-Eventlog	fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148	Security	436	1144	WIN-5T344G8GM1H		1/19/2018 9:48:13 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Service shutdown	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
User initiated logoff: Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.	4647	0		0	12545	0	-9214364837600034816	13900	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:48:12 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13899	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	3024	WIN-5T344G8GM1H		1/19/2018 9:48:11 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13898	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	3024	WIN-5T344G8GM1H		1/19/2018 9:48:11 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13897	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	756	WIN-5T344G8GM1H		1/19/2018 9:48:10 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13896	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	756	WIN-5T344G8GM1H		1/19/2018 9:48:10 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Domain: Domain Name: WIN-5T344G8GM1H Domain ID: S-1-5-21-416071247-492812682-1642729393 Changed Attributes: Min. Password Age: Max. Password Age: Force Logoff: Lockout Threshold: Lockout Observation Window: Lockout Duration: Password Properties: Min. Password Length: Password History Length: - Machine Account Quota: - Mixed Domain Mode: - Domain Behavior Version: - OEM Information: 1 Additional Information: Privileges: -	4739	0		0	13569	0	-9214364837600034816	13895	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Authentication Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x10 User Account Control: 'Don't Expire Password' - Disabled User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	13894	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H	4724	0		0	13824	0	-9214364837600034816	13893	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 1/19/2018 9:47:34 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	13892	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Domain: Domain Name: WIN-5T344G8GM1H Domain ID: S-1-5-21-416071247-492812682-1642729393 Changed Attributes: Min. Password Age: ?? Max. Password Age: Force Logoff: ?? Lockout Threshold: Lockout Observation Window: - Lockout Duration: - Password Properties: - Min. Password Length: - Password History Length: 0 Machine Account Quota: 0 Mixed Domain Mode: 0 Domain Behavior Version: - OEM Information: - Additional Information: Privileges: -	4739	0		0	13569	0	-9214364837600034816	13891	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Authentication Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 User: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xfac Process Name: C:\Windows\System32\Sysprep\sysprep.exe	4798	0		0	13824	0	-9214364837600034816	13890	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13889	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:47:33 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13888	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:47:33 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The audit log was cleared. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Domain Name: WIN-5T344G8GM1H Logon ID: 0x1F0E3	1102	0		4	104	0	4620693217682128896	13887	Microsoft-Windows-Eventlog	fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148	Security	436	1136	WIN-5T344G8GM1H		1/19/2018 9:47:33 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Log clear	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]